WordPress 0 day exploit (version 3.0.1 and older)

We posted last week about the release of WordPress 3.0.2 that fixes a few security vulnerabilities.

Today, full details of the vulnerability and exploit code have been released. So if you haven’t upgraded yet, make sure to do so now (specially if your site has multiple authors).

“The do_trackbacks() function in wp-includes/comment.php does not properly escape the input that comes from the user, allowing a remote user with publish_posts and edit_published_posts capabilities to execute an arbitrary SELECT SQL query, which can lead to disclosure of any information stored in the WordPress database.”

Details here: http://www.vul.kr/wordpress-all-version-0day-exploit

Interested in WordPress security monitoring, visit http://sucuri.net.

David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

2 comments

Comments are closed.

WordPress Hack Modifies Core Files to Share Spam

Bruno Zanelato
October 4, 2016

One of the worst feelings a website owner can experience is discovering that your site has been hacked. Without proper security measures in place, even…

Read the Post

A New Wave of Buggy WordPress Infections

Denis Sinegubko
October 2, 2019

We’ve been following an ongoing malware campaign for the past couple of years now. This campaign is renowned for its prompt addition of exploits for…

Read the Post

WordPress Plugin & Theme Vulnerability & Patch Roundup June 2023

WordPress Vulnerability & Patch Roundup June 2023

Cesar Anjos
June 27, 2023

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes…

Read the Post

Massive Abuse of EvalPHP WordPress Plugin

Massive Abuse of Abandoned Eval PHP WordPress Plugin

Ben Martin
April 19, 2023

Attackers are always finding new and creative ways to compromise websites and maintain their foothold in environments. This is frequently done via the use of…

Read the Post

DDoS Targeting WordPress Search

Northon Torga
April 8, 2019

Have you ever stopped to think about how many resources a search engine has or if your website could handle the same amount of search…

Read the Post

Throwback Threat Thursday: WordPress 4.7 WP-JSON Content Injection Vulnerability

Justin Channell
March 12, 2020

Throwback Threat Thursday is a series of posts where we recall older vulnerabilities that have since been patched by their developers. In the past, these…

Read the Post

Vulnerabilities Digest: March 2020

John Castro
March 27, 2020

Fixed Plugins and Vulnerabilities Plugin Vulnerability Patched Version Installs Cookiebot Reflected Cross-Site Scripting 3.6.1 40000 Data Tables Generator By Supsystic Authenticated Stored XSS 1.9.92 30000…

Read the Post

How Domain Expiration Can Potentially Disrupt Other Websites

Luke Leal
August 22, 2019

A website owner recently reached out to us about a pop-up advertisement problem on their website which occurred any time someone clicked anywhere on the…

Read the Post

WordPress Security

Cloned Spam Sites in Subdirectories

Fernando Barbosa
November 15, 2016

In a recent post, we covered how attackers were abusing server resources to create WordPress sites in subdirectories and distribute spam. By adding a complete…

Read the Post

7 Tips for Protecting Your Website

Art Martori
March 2, 2020

For many people, website security is an intimidating topic. It seems like there’s an endless list of things necessary for protecting your website. And while…

Read the Post

2 comments

Related Categories

You May Also Like