Advisories
WordPress Thrashing Authorisation Bypass
Thomas Mackenzie has reported a vulnerability affecting Wordpress >= 2.9. Versions before 2.9 are not vulnerable.
tmacuk quote:
Since version 2.9 a new feature was implemented so that users were able to retrieve posts that they may have deleted by accident. This new feature was labelled ‘trash’. Any posts that are placed within the trash are only viewable [...]
WordPress Trackback < 2.8.5 Denial of Service
If you are running WordPress < 2.8.5 and finding your blog inaccessible at times this post may be for you.
A denial of vulnerability was released back in Oct 2009 that affects < WordPress 2.8.5.
The exploit sends a continuous stream of POST requests with overly large blog titles to wp-trackback.php. This could result in the [...]
Distributed WordPress Password Guessing
One of The Internet Storm Center readers recently discovered a malicious WordPress hacking script.
The script is nothing more then a password guessing tool. However, what makes it unique — as pointed out by ISC, is the fact that it uses a MySQL database backend to store password attempts. This means the script could be executed [...]
WordPress <= 2.8.3 Reset Admin Password Vulnerability
An exploit has been released for all current versions of WordPress including WordPress
WordPress 2.8.3 Fixes Security Holes
If you haven’t already done so, we’d stongly recommend upgrading to WordPress 2.8.3. Also, the WordPress 2.0.x branches are now deprecated (a bit earlier then expected) and will therefore no longer be maintained. [Link]
Unfortunately, I missed some places when fixing the privilege escalation issues for 2.8.1. Luckily, the entire WordPress community has our backs. [...]
