Adrian, is it safe to assume then that these vuls affect WP < 2.0.4?

Hey David,

That’s _less than_ rather than _less than or equals to_ right? In other words:

Adrian, versions below 2.0.4 but not including 2.0.4 :)

FYI,

just tested it on 1.5.1.1 and it IS vulnerable as well.

David,

Just wanted to make sure you typed what you meant. I know it’s late on a Friday, so it’s easy to make typos :-D

No worries, late night brain power :)

It’s disgusting that this kind of vulnerability even existed in the first place.

Is it me or do WP developers just not give a shit about security?

Daniel,

Although WP is a great product functionality wise, security is not a priority for the developers of the project (IMO).

[…] wp_register XSS through user_email parameter (more) […]

Guys.

From those holes that I found in WordPress, there is also one such XSS holes, besides these XSS holes in wp-register.php, which I found in WordPress MultiUser (and it’s similar hole). It may be interesting for you.

As I wrote at my site http://websecurity.com.ua/1269/ - the hole (which I found at 06.11.2006) is in WordPress MultiUser 1.0 (and below). XSS is in wp-newblog.php script in Username field. And as I tested in WP MU 1.1.1 this hole was fixed.

About these holes in WP and WP MU I didn’t inform WP developers (just disclosed at my site), because had not time for that and the holes was already fixed at time when I posted about them. But I planning to write about these holes to developers (to make them aware about a lot holes in their software - like I regularly inform them about holes in WP).

P.S.

There are some interesting holes in WP, which I found in June 2007 (and holes in some WP plugins which I found in 2006) which I planned to disclose in near future. And I’ll inform developers. Just wait until time will come. Take care about your WP sites.

MustLive, thanks for letting us know. If you want to do joint-releases with BlogSecurity regarding any of your future findings let us know man. Nice work.

@MustLive, thanks for letting us know. But one major Problem of the Internet is, that there’s no central place for Disclosures or anything else. Many people try to get into some spotlight with their Service…
And please forgive us that we can’t check all Disclosure Websites for already published disclosures. Especially none out of our language knowledge, And as we didn’t found anything on Wordpress we supposed that flaw to be unknown, or silently fixed.
We’re planning to do something like a Month of Wordpress Bugs(although for Plugins), so If you like we could do some joint venture.

David, as I just found, you have restrictions in your comments. You are fun guy with fun site. When posting a comment I found that you have some limits with comment’s text. It’s possible or some bug in engine or some incorrect settings - because it’s unserious settings, I can’t post even a small message :-). You need to fix it. And take care about your site and its comments, so every part of site will work correctly.

About my holes in WP. Besides a lot of holes in WP plugins, I also have some holes in WordPress (in main WP bundle). Some holes concerning old WP versions (and possible new) with some requirements, and one hole concern possible all version of WP (including last). With this hole it’s possible to hack every WP site (it’s mega hole). This vuln is tricky to use, but can hack possibly all WP sites (it has some requirements, but they can be achieved and even improved with using some previous holes). With this complex attack every site on WP is in danger. Using WordPress is like a sitting on mine. So take care of your sites. The disclosure will in future. After November, which will the very hot month.