It appears that there is a new vulnerability for WordPress 2.0.3 and all earlier versions.
If you are running WordPress as your blogging platform and if you have been trusting enough to leave User registration enabled for guests, DISABLE IT IMMEDIATELY (in wp-admin >> options: make sure “Anyone can register†is not checked).
Additionally, delete or disable ANY guest account already created by people you are not sure about.
Leaving it open and letting people sign-up for guest accounts on your WordPress blog could lead to incredibly nasty stuff happening if anybody so desired. And trust me I am not exaggerating this. So don’t wait a second to disable this option and please relay the message.
WordPress dev team has been notified a while back and I dare hope they will soon start acting on it, if only by relaying a similar announcement through the official channel (as well as, of course, releasing a proper patch).
I am not sure of the actual nature of this “exploit” but, just to be on the safe side be sure to disable the “anyone can register” at least for the time being until I can figure out what this is all about.
UPDATE: OK, now I have a much better idea. Thanks to this posting by Bryan Layman at the Code Cave we have some actual information rather than the Chicken Little approach.
The really good news is that Ryan Boren released the beta version of WordPress 2.0.4 on Sunday. The Beta2 version of the release includes a fix for this issue.
For those of you who believe that disabling “anyone can register” just won’t suffice here is a link to the BETA code for 2.0.4.
Caveat Emptor
http://wordpress.org/beta/wordpress-2.0.4-beta-2.zip
http://wordpress.org/beta/wordpress-2.0.4-beta-2.tar.gz
Last reminder, this is beta code. I take no responsibility if your site goes boom. I’m sure however, that it’s probably just fine.
[tags]Exploit, Security, Vulnerability, WordPress[/tags]