[Moderated – URL removed]
Input passed to the “cache_lastpostdate” parameter via cookies is not properly sanitised before being used. This can be exploited to inject arbitrary PHP script code.
Successful exploitation requires that “register_globals” is enabled.
The vulnerability has been confirmed in version 22.214.171.124. Other
versions may also be affected.
I would have expected to see a warning on the WordPress site. Disappointing.
I’ll close the blogs I am hosting for the time being.
- The topic ‘WordPress with “Highly critical” vulnerability From Remote’ is closed to new replies.