WordPress.org

Ready to get started?Download WordPress

Forums

Akismet
Akismet 2.5.6 Vulnerability (5 posts)

  1. paulswebsolutions
    Member
    Posted 2 years ago #

    Hi

    Akismet 2.5.6 may have vulnerabilities that allow files to be created/uploaded within the plugins/akismet folder.

    I've seen this attack twice on two different unrelated domains. In both cases, the vulnerability was used to do mass emailing/spoofing.

    First incident was about a month ago, no re-occurence after I removed the malware and set permissions to 544 on the akismet directory.

    This appears to be the most detailed analysis:

    http://bot24.blogspot.com.au/2012/07/wordpress-akismet-vulnerabilities.html

    I realise this isn't the most comprehensive report, but I'd be surprised if you aren't already looking at this. Just thought I'd report it officially since I can't find much online about it being acknowledged/addressed.

    Cheers

    Paul

    http://wordpress.org/extend/plugins/akismet/

  2. Ian Dunn
    Member
    Posted 2 years ago #

    Here's another report that has some different information.

  3. Alex Shiels
    Member
    Plugin Author

    Posted 2 years ago #

    We'll post something on blog.akismet.com soon.

    In short, the claims appear to be invalid. It describes an attack on Akismet 2.5.6 with WordPress 2.0 or earlier - which isn't even possible, since Akismet 2.5 requires WP 3.0 and will refuse to run in older WP versions.

    We haven't responded because the person who published the report made no attempt to contact us.

  4. Nitzanb
    Member
    Posted 1 year ago #

    I have a wordpress website running wp - 3.4.2. with akisment 2.5.6.
    Last night, got a call from my hosting company, the auto scripts found a hacking attempt on the WP throgh akisment.

    It seems that the user managed to create a new php file, write information inside and downloaded some c files.

    I have compleate htaccess logs, also I have the files created by the hacker.

    TellyWorth - How can I contact you? or maybe you can contact me at nitzanb(at)gmail.com? I'll send you all the information.

  5. Ian Dunn
    Member
    Posted 1 year ago #

    Nitzanb, you might want to try the contact form on Automattic's security page.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic