8 June 2007, 14:52

SQL injection vulnerability in Wordpress

An SQL injection vulnerability in Wordpress may be used to compromise blog systems running the suite. An exploit has been published on Milw0rm which allows unauthorised access to the underlying database through the function wp.suggestCategories in the xmlrpc.php module. This does not filter user parameters correctly, allowing attackers to pass their own commands to the database, for instance to manipulate content or view names and password hashes of other users. Attackers must, however, authenticate themselves to exploit this flaw.

This vulnerability has been discovered in version 2.2, other version are not affected. The user authentication required to exploit it minimises the risk of potential attacks and users are advised to grant write access to the system exclusively to trusted persons. However a patch has been made available.

Also on The H:

Share this article

SQL injection vulnerability in Wordpress

Also on The H:

Microsoft's struggle against bugs

CSI:Internet - Open heart surgery

CSI:Internet - A trip into RAM

The H Update Check

Internet Toolkit

Monopoly madness

What's new in Linux 3.4

A Practical Internet of Things

Booting up: Tools and tips for systemd

Kernel Log: Coming in 3.4 (Part 3) - Graphics drivers

Control Centre: The systemd Linux init system

Kernel Log: Coming in 3.4 (Part 2) - Filesystems, storage and drivers

Kernel Log: Coming in 3.4 (Part 1) - Infrastructure

What's new in Linux 3.3

Building a GSM network with open source

CSI:Internet - Controlled from the beyond

Price Insight Top 10 powered by Skinflint

The H

The H open source

The H Security

The H Internet Toolkit