Critical Flaw Discovered in WordPress
Coming direct from the blog of Dr Dave (the evil genius behind anti spam plugin Spam Karma), he reports on a critical flaw that has been discovered in WordPress that can allow very bad things to happen:
If you are running Wordpress as your blogging platform and if you have been trusting enough to leave User registration enabled for guests, DISABLE IT IMMEDIATELY (in wp-admin >> options: make sure “Anyone can register†is not checked).
Additionally, delete or disable ANY guest account already created by people you are not sure about.
Leaving it open and letting people sign-up for guest accounts on your Wordpress blog could lead to incredibly nasty stuff happening if anybody so desired. And trust me I am not exaggerating this. So don’t wait a second to disable this option and please relay the message.
Wordpress dev team has been notified a while back and I dare hope they will soon start acting on it, if only by relaying a similar announcement through the official channel (as well as, of course, releasing a proper patch).
Sorry for the shrill hysterical tone, but this really is a big deal.
[thanks go to geoff_e for discovering and bringing this insane security exploit to my attention]
Subscribe to feed
July 28th, 2006 at 2:36 pm
[...] Thanks to some drastic and controversial actions taken by SpamKarma creator Dr. Dave, a large percentage of the blogging populace has been alerted to a security hole in WordPress. He even went to the effort of activating a warning message that was sent out to everyone who uses his SK2 plugin. This has resulted in a lot of fear spreading amoung a huge number of bloggers. This sort of thing just spreads exponentialy. Here’s a quasi random sampling of two dozen of the first posts on it: ………………….. And these were just from the English blogs that post about this on the same day as the notice going out. The neat thing is that these are some of the most on-top-of-things bloggers out there. Those 24 blogs have some great content and gread visual styles. The are well worth perusing… [...]