Title: (security issue) WordPress PHP Code Injection Vulnerability Last modified: August 18, 2016 --- # (security issue) WordPress PHP Code Injection Vulnerability * [clsung](https://wordpress.org/support/users/clsung/) * (@clsung) * [19 years, 11 months ago](https://wordpress.org/support/topic/security-issue-wordpress-php-code-injection-vulnerability/) * Have anyone observe this problem? * “WordPress PHP Code Injection Vulnerability” [http://secunia.com/advisories/20271/](http://secunia.com/advisories/20271/) [http://www.securityfocus.com/archive/1/435039/30/0/threaded](http://www.securityfocus.com/archive/1/435039/30/0/threaded) Viewing 9 replies - 1 through 9 (of 9 total) * [Lester Chan](https://wordpress.org/support/users/gamerz/) * (@gamerz) * [19 years, 11 months ago](https://wordpress.org/support/topic/security-issue-wordpress-php-code-injection-vulnerability/#post-395178) * it has been posted before * [whooami](https://wordpress.org/support/users/whooami/) * (@whooami) * [19 years, 11 months ago](https://wordpress.org/support/topic/security-issue-wordpress-php-code-injection-vulnerability/#post-395179) * Yes, it’s been brought to the attn of the devs, and mentioned on the forums 2x today already. * Dare I reply lest this thread is removed also. * [Peter Westwood](https://wordpress.org/support/users/westi/) * (@westi) * [19 years, 11 months ago](https://wordpress.org/support/topic/security-issue-wordpress-php-code-injection-vulnerability/#post-395182) * This vulnerability will not affect your blog unless the following three criteria are met: 1. You have enabled the caching of db info to disk which is disabled by default in 2.0.2 2. You have a simple /null database password. This is needed to make the filename of the cache file guessable and the exploit easy to achieve 3. You have user registration enabled * Basically for a default 2.0.2 install you are completely safe if you don’t have the cache enabled or user registration is disabled and you are still pretty safe with them enabled unless your db password is easy to guess. * [Mark (podz)](https://wordpress.org/support/users/podz/) * (@podz) * [19 years, 11 months ago](https://wordpress.org/support/topic/security-issue-wordpress-php-code-injection-vulnerability/#post-395185) * “Dare I reply lest this thread is removed also.” * ‘Security’ threads are not usually removed but some people do get overexcited and we’ll start having the “OMG!!11111!!!!! My BloG wiLL bE HacKed!!!!” gang descending in droves, slagging the program off, saying WP takes nothing seriously etc etc etc. That does nothing except give a platform to people who know little but can scare more, and worry those who have no need. It gets really tedious. The decision to close the thread / respond was taken on the forum list – no coders had any input before that. Hasty? Possibly, but from experience it turns into firefighting and those threads never ever have a “WP is doing something? Cool, we are all reassured”. If that happened, great. But it doesn’t. * Like Westi has said, this takes a set of circumstances rather than a simple action. * I’ll add that people should take note of (2) above: “You have a simple /null database password.” Regardless of ANY exploit the weakest link in your wp install is your password. Make it better. * [http://keepass.sourceforge.net/](http://keepass.sourceforge.net/) * Moderator [Samuel Wood (Otto)](https://wordpress.org/support/users/otto42/) * (@otto42) * WordPress.org Admin * [19 years, 10 months ago](https://wordpress.org/support/topic/security-issue-wordpress-php-code-injection-vulnerability/#post-395243) * > 1. You have enabled the caching of db info to disk which is disabled by default > in 2.0.2 * Actually, I believe that is enabled by default. At least, my site has the cache, and I never explicitly turned it on. * > 2. You have a simple /null database password. This is needed to make the filename > of the cache file guessable and the exploit easy to achieve > 3. You have user > registration enabled * Both true. * [Mark (podz)](https://wordpress.org/support/users/podz/) * (@podz) * [19 years, 10 months ago](https://wordpress.org/support/topic/security-issue-wordpress-php-code-injection-vulnerability/#post-395248) * If your wp-content is writable, then cache is ON by default in 2.0.2 * If your wp-content is NOT writable, then cache is not written but you see no error. * It is therefore ON. * as I wrote here: [http://wordpress.org/support/topic/73817?replies=9](http://wordpress.org/support/topic/73817?replies=9) * Either way, the right people know. * [spencerp](https://wordpress.org/support/users/spencerp/) * (@spencerp) * [19 years, 10 months ago](https://wordpress.org/support/topic/security-issue-wordpress-php-code-injection-vulnerability/#post-395304) * I don’t usually worry too much about “security issues”, because I’m quite sure the “top notches” know of it and things will be dealt with accordingly. =) * I just noticed earlier about 2.0.3 Beta being ready for download and ready for“ testing” on the list..so I’m grabbing a copy of that. I’m not sure if those “ security issues” were handled in that or not, but I’m just downloading it anyways lol! * spencerp * EDITED* I meant, I noticed that the “version” was changed to 2.0.3-beta, so I figured I’d grab it. `$wp_version = '2.0.3-beta';` `$wp_db_version = 3796;` * [Peter Westwood](https://wordpress.org/support/users/westi/) * (@westi) * [19 years, 10 months ago](https://wordpress.org/support/topic/security-issue-wordpress-php-code-injection-vulnerability/#post-395471) * v2.0.3 is now released with the fix for this included. * See: [http://wordpress.org/development/2006/06/wordpress-203/](http://wordpress.org/development/2006/06/wordpress-203/) * Thread Starter [clsung](https://wordpress.org/support/users/clsung/) * (@clsung) * [19 years, 10 months ago](https://wordpress.org/support/topic/security-issue-wordpress-php-code-injection-vulnerability/#post-395479) * That’s great, Good work! Viewing 9 replies - 1 through 9 (of 9 total) The topic ‘(security issue) WordPress PHP Code Injection Vulnerability’ is closed to new replies. * In: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/) * 9 replies * 7 participants * Last reply from: [clsung](https://wordpress.org/support/users/clsung/) * Last activity: [19 years, 10 months ago](https://wordpress.org/support/topic/security-issue-wordpress-php-code-injection-vulnerability/#post-395479) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics