Attention All WordPress Users: Critical Flaw Detected

Got this off Lorelle who got this of the creator of Spam Karma, Dr. Dave. It’s a massive security flaw that affects any and all users of the standalone version of wordpress both 1.5.X and 2.0.X and not WordPress.com or any WordPress Multi User versions. In Dr. Dave’s words from his post:

If you are running WordPress as your blogging platform and if you have been trusting enough to leave User registration enabled for guests, DISABLE IT IMMEDIATELY (in wp-admin >> options: make sure “Anyone can register” is not checked).

Additionally, delete or disable ANY guest account already created by people you are not sure about.

Apparently there is an exploit that allows registered guests to start making a whole mess of your account even if they are set to being “Subscribers” and if you’re one of those people who turned it on because you wanted added moderation for your comments, you’re going to be inviting a lot of trouble if you leave it on.

Until now, I can’t really confirm or deny that there is a serious exploit in WordPress on any of my sources, but if memory serves me right, actually confirming that on public channels is just inviting a whole lot of problem for the rest of the community anyway since it’ll be open knowledge for any yahoo with too much free time on their hands to start exploiting the flaw.

For now though, I’m trusting the source and I recommend that you do the same thing too especially if you’re a WordPress user who has their registeration turned on. It can’t hurt to do that for now. After all, it’s better than to turn it off until a patch is released which won’t be for a little while. I’ll keep an eye out if there are anymore developments, but in the mean time…keep your guard up and your eyes open. You don’t want to have your entire account hijacked now do you?

3 thoughts on “Attention All WordPress Users: Critical Flaw Detected

  1. Thanks for the update – although since Dr Dave has already publicised it, it doesn’t make sense for WP devs not to put at least an advisory on wordpress.org. What we’re likely to get now is a whole lot of web savvy people who know there is a vulnerability compared to regular or newbie WP bloggers who don’t know since they probably don’t stalk WP discussion blogs.
    At least an official advisory should show up on their dashboard when they login (for WP 2 users, at least).

  2. Well, that’s how it goes for a lot of security flaws. The moment you publicise and confirm it, you get all the yahoo’s from the woodwork attacking the system. Even so, you can’t work from the dashboard to inform people as well, since it’s the RSS feed from the WordPress Dev Blog and it would still give the same problem either way.

    As long as users are aware that there is a problem and most importantly a temporary solution till the patch comes out, then it should be good.

Leave a Reply

Your email address will not be published. Required fields are marked *