WordPress.org

Ready to get started?Download WordPress

Forums

OMG Pwnies! (Surprisingly enough, this is legit.) (3 posts)

  1. Anonymous
    Unregistered
    Posted 5 years ago #

    So a colleague of mine raised my attention to the Pwnie Award Nominees; looks like they are quite valid and prolific in their criticism of some of the security failures of late.

    My question being; I'm a recent WordPress convert that has become quite smitten with utilizing the underlying core to power one-off CMS jobs. I've noticed the WP security blog has been quite dark of late; is there any activity within the community to fix these holes? Where is the transparency? Is the large number of defects anything that WP admins and users should be concerned about?

    I hate to be doom and gloom, but I will admit that the high number of SQL injection vulnerabilities in the application grossly concerns me.

    -E

  2. cldnails
    Member
    Posted 5 years ago #

    Ouch! It was my understanding that WP was one of the most secure blogging platforms out there. Although because it is the most widely used, it's obviously going to be the widest targeted.

    Thanks for the links.

  3. Samuel Wood (Otto)
    Tech Ninja
    Posted 5 years ago #

    Very few, if any, of those appear valid to me. Almost all of those are for plugins (which are third-party, not written by the WordPress team), and the couple I see for WordPress itself have been fixed and/or are invalid to begin with.

    Take this one for example:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2392

    The description is:

    Unrestricted file upload vulnerability in WordPress 2.5.1 and earlier might allow remote authenticated administrators to upload and execute arbitrary PHP files via the Upload section in the Write Tabs area of the dashboard.

    Anybody else spot the "might allow remote authenticated administrators"? An "authenticated administrator" has the right to do anything he likes. He's the freakin' ADMIN. That's not a vulnerability, it's a FEATURE.

Topic Closed

This topic has been closed to new replies.

About this Topic