WordPress.org

Support

Support » How-To and Troubleshooting » [Security] WordPress PHP Code Injection Vulnerability

[Security] WordPress PHP Code Injection Vulnerability

Viewing 3 replies - 1 through 3 (of 3 total)
  • Peter Westwood
    WordPress Lead Developer

    @westi

    Reading through this it is based on exploiting the file cache which is disabled by default in v2.0.2 because it caused too many issues getting it to work on every possible combination of PHP/CGI/Webserver/Host Os so it won’t affect a v2.0.2 install unless you enable the caching to disk of db data.

    You also have to have a easy to guess database password to make the exploit feasible.

    Downloaded and ran the exploit, but also here, it would not want to do anything and died …

    I also generate the passwords as random; so no easy guessing.

    Still, the underlying vulnerability is scary, and 🙁

    Hoping for a patch, nevertheless.

    Peter Westwood
    WordPress Lead Developer

    @westi

    v2.0.3 is now released with the fix for this included.

    See: wordpress.org/development/2006/06/wordpress-203/

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘[Security] WordPress PHP Code Injection Vulnerability’ is closed to new replies.