Support » Requests and Feedback » OMG Pwnies! (Surprisingly enough, this is legit.)

  • So a colleague of mine raised my attention to the Pwnie Award Nominees; looks like they are quite valid and prolific in their criticism of some of the security failures of late.

    My question being; I’m a recent WordPress convert that has become quite smitten with utilizing the underlying core to power one-off CMS jobs. I’ve noticed the WP security blog has been quite dark of late; is there any activity within the community to fix these holes? Where is the transparency? Is the large number of defects anything that WP admins and users should be concerned about?

    I hate to be doom and gloom, but I will admit that the high number of SQL injection vulnerabilities in the application grossly concerns me.


Viewing 2 replies - 1 through 2 (of 2 total)
  • Ouch! It was my understanding that WP was one of the most secure blogging platforms out there. Although because it is the most widely used, it’s obviously going to be the widest targeted.

    Thanks for the links.

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    Very few, if any, of those appear valid to me. Almost all of those are for plugins (which are third-party, not written by the WordPress team), and the couple I see for WordPress itself have been fixed and/or are invalid to begin with.

    Take this one for example:

    The description is:

    Unrestricted file upload vulnerability in WordPress 2.5.1 and earlier might allow remote authenticated administrators to upload and execute arbitrary PHP files via the Upload section in the Write Tabs area of the dashboard.

    Anybody else spot the “might allow remote authenticated administrators”? An “authenticated administrator” has the right to do anything he likes. He’s the freakin’ ADMIN. That’s not a vulnerability, it’s a FEATURE.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘OMG Pwnies! (Surprisingly enough, this is legit.)’ is closed to new replies.