June 2nd, 2006 at 09:32 UTC by Steven J. Murdoch
Users are strongly urged to upgrade their version of Wordpress to 2.0.3 (as you will see that we have already!) This release fixes two XSS vulnerabilities that I reported to Wordpress on 14 Apr 2006 and 4 May 2006, although they are not mentioned in the release announcement. These are exploitable in the default installation and can readily lead to arbitrary PHP code execution.
I think there a number of interesting lessons to learn from these vulnerabilities, so I plan to post more details in 10 days time (thereby giving users a chance to upgrade). The nature of the problem can probably be deduced from the code changes, so there is limited value in waiting much longer.
I will also discuss a refinement of the ‘cache’ shell injection bug reported by rgodm, which is also fixed by Wordpress 2.0.3. The new attack variant I discovered no longer relies on a guessable database password, but only applies when the Subscribe To Comments plugin is also activated. The latest version of the plugin (2.0.4) mitigates this attack, but upgrading Wordpress is still recommended.