Hole in WordPress allows third parties to edit users’ posts
The developers of the WordPress blogging system have published version 2.3.3 to close a security hole. An error in the implementation of XML-RPC allows third parties to edit other bloggers' posts using crafted HTTP requests. A valid user account is necessary to accomplish this, according to the vulnerability report. This is not the first time WordPress has had to struggle with its implementation of XML-RPC.
In addition to this vulnerability, some other errors have also been eliminated in the new version. The developers recommend that anyone who is only interested in this security fix should just download and install the corrected version of the offending script: xmlrpc.php
. The report also identifies a vulnerability in the WP-Forum plug-in, which has already been actively exploited in order to gain access to the underlying database via SQL injection. Until an update appears, the plug-in should be disabled, according to WordPress.
See also:
- WordPress 2.3.3, vulnerability report by Wordpress.org
(mba)