In association with heise online

05 February 2008, 13:16

Hole in WordPress allows third parties to edit users’ posts

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers of the WordPress blogging system have published version 2.3.3 to close a security hole. An error in the implementation of XML-RPC allows third parties to edit other bloggers' posts using crafted HTTP requests. A valid user account is necessary to accomplish this, according to the vulnerability report. This is not the first time WordPress has had to struggle with its implementation of XML-RPC.

In addition to this vulnerability, some other errors have also been eliminated in the new version. The developers recommend that anyone who is only interested in this security fix should just download and install the corrected version of the offending script: xmlrpc.php. The report also identifies a vulnerability in the WP-Forum plug-in, which has already been actively exploited in order to gain access to the underlying database via SQL injection. Until an update appears, the plug-in should be disabled, according to WordPress.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit