WordPress BlogWatch
Filed Under (BlogWatch) by Adrian Pastor on 27 May 2007

BlogSecurity’s WordPress BlogWatch gives you a central location to check out the latest WordPress Vulnerabilities. In the future, I hope to incorporate this information into a WordPress plugin and alerting system. Please check back often for updates.

If you see a vulnerability that we have not listed, please let us know via our Contact Form, thank you in advance.

Latest WordPress Version

The latest WordPress download is available here.

WordPress Vulnerabilities

Versions Affected Details Risk
WordPress = 2.3 XSS injection in edit-post-rows.php, needs register_globals on (More) MEDIUM
WordPress <= 2.3 Unregistered can add Links to Blogroll (More) LOW
WordPress <= 2.2.2 and WordPress MU <= 1.2.4 Remote SQL Injection in xmlrpc.php (More) HIGH
WordPress <= 2.2.2 User can post arbitrary HTML without needed rights (More) MEDIUM
WordPress <= 2.2.1 Redirection Vulnerability in wp-pass.php (More) MEDIUM
WordPress <= 2.2 and WordPress MU <= 1.2.2 Arbitrary File Upload (More) HIGH
WordPress <= 2.2 Remote shell injection in PHPMailer (More) HIGH
WordPress <= 2.2 Unauthorised Comments Disclosure (more) LOW
WordPress <= 2.2 xmlrpc.php authenticated SQL Injection (more) MEDIUM
WordPress <= 2.1.3 admin-ajax.php SQL Injection (more) HIGH
WordPress <= 2.1.3 Akismet XSS (more) HIGH
WordPress <= 2.1.2 PHP_SELF XSS (more) HIGH
WordPress <= 2.1.2 XMLRPC SQL Injection (more) HIGH
WordPress 2.1.1 Backdoored Version (more) HIGH
WordPress <= 2.1.0 Comments XSS (more) HIGH
WordPress <= 2.0.7 Templates.php XSS (more) HIGH
WordPress <= 2.0.6 wp-trackback.php SQL Injection (more) HIGH
WordPress <= 2.0.5 Template CSRF Vulnerability (more) HIGH
WordPress <= 2.0.3 wp_register XSS through user_email parameter (more) MEDIUM
WordPress <= 2.0.2 cache_file php injection (more) HIGH
WordPress <= 2.0.0 wp_register XSS through user_login parameter (more) MEDIUM
WordPress <= 1.5.1.3 Command Execution (more) HIGH
WordPress <= 1.2.2 Multiple XSS, SQL Injection (more) HIGH

WordPress Plugin Vulnerabilities

Versions Affected Details Fixed Version Risk
WordSpew <= 3.72 SQL Injection Vulnerability (more) WordSpew 3.72 HIGH
BackupWordpress <0.4.3 Remote File Inclusion (more) BackupWordPress 0.4.3 HIGH
FeedSmith <= 2.2 CSRF possible (more) FeedSmith 2.3 HIGH
wp-feedstats < WordPress 2.4 Persistent XSS Vulnerability (more) wp-feedstats 2.4 HIGH
wp-db-backup < WordPress 2.0.4 Directory Traversal Vulnerability (more) WordPress > 2.0.5 HIGH
wp-pagenavi < 2.11 XSS Vulnerability (more) 2.11 HIGH
WP-Stats < 2.01 SQL Injection Vulnerability (more) 2.01 HIGH
WordPress Democracy <= 2.0 XSS Vulnerability (more) 2.0.1 HIGH
WordPress myFlash <= 1.00 Remote File Include(more) None found HIGH
WordPress myGallery <= 1.4b4 Remote File Include (more) 1.4b7 HIGH
WordPress wordTube <= 1.43 wpPATH Remote File Inclusion (more) 1.44 HIGH
WordPress wp-Table <= 1.43 Remote File Include (more) 1.45 HIGH
   
Enjoy the article? Please take a second to: Digg it! | StumbleUpon it!

Read and Contribute to BlogSec News!

Comments

No ShrinkWrap Web2.0 Reviews » Blog Archive » Upgrading Wordpress on 28 May, 2007 at 7:50 pm #

[…] updated their site with a list of known vulnerabilities in each version of Wordpress and some popular plugins. I appreciate this list, and hope it’s regularly updated - knowing […]


rodtempleton.net » WordPress security announcement site on 29 May, 2007 at 10:49 am #

[…] wrote about BlogSecurity the other day, and they’re now posting updates on WordPress security issues.  While I’m certain that there are other sites doing this, I just wanted to include the […]


BlogSecurity » WordPress 2.2 Vulnerability on 30 May, 2007 at 10:53 am #

[…] WordPress BlogWatch has been updated to reflect this finding. […]


BlogSecurity » Blog Under Siege on 3 July, 2007 at 1:03 pm #

[…] wordTube <= 1.43 is listed on BlogSecurity’s dangerous WordPress software list "BlogWatch". This wp-plugin is vulnerable to a File Include Vulnerability, this means an attacker can […]


BlogSecurity » wp-pass Redirect Vulnerability on 5 July, 2007 at 12:49 pm #

[…] BlogWatch was updated with this vulnerability and classified as a Medium Risk issue. […]


BlogSecurity » WordPress BlogWatch Updated on 9 July, 2007 at 4:19 pm #

[…] BlogWatch Updated | News, WordPress | BlogSecurity’s WordPress BlogWatch gives you a central location to check out the latest WordPress […]


svenkubiak.de » svenkubiak.de defaced on 12 July, 2007 at 1:50 am #

[…] meinen Recherchen bin ich auf die Seite BlogSecurity gestoßen, auf der es neben aktuellen Schwachstellen auch einen WordPress Vulnerability Scanner gibt, mit dem man Schwachstellen im Blog auswerten […]


BlogSecurity » WordPress Blog gets hacked on 12 July, 2007 at 3:54 am #

[…] was defaced yesterday due to running an older version of the popular myGallery plugin. BlogWatch was referenced in his article, as we have displayed the myGallery vulnerability on WordPress […]


Defacement bei deutschem WordPress-Blog | wordpress | XSBlog2.0beta on 13 July, 2007 at 3:13 am #

[…] Liste bekannter Sicherheitslücken in WordPress und Plugins findet ihr im übrigen bei BlogSecurity. Sollte m.E. in keinem Feedreader fehlen. Tags: aktuelles , Defacement , Security , wordpress […]


BlogSecurity » wp-feedstats persistent XSS on 26 July, 2007 at 8:15 pm #

[…] BlogWatch has been updated with this vulnerability. […]


Tigions Blog » Blog Archiv » Wordpress Lücken- und Locherkennung on 27 July, 2007 at 11:58 am #

[…] der Seite von BlogSecurity gibt es mit Blogwatch neben milw0rm -> wordpress ebenfalls hilfreiche Hinweise zu Sicherheitslücken in Wordpress und […]


Mikael on 17 August, 2007 at 1:54 am #

Would be great to be able to subscribe to the updates of this post somehow. Is there a way?


dk on 17 August, 2007 at 7:14 pm #

Mikael, we usually do release an update post on the main blog when it has been updated. So if you subscribe to our main feed you’ll know. Thanks.


GaMerZ on 20 September, 2007 at 7:14 am #

Hi, I am the author for pagenavi, but the more link is linked to the readme.html instead of the security issue.


David Kierznowski on 20 September, 2007 at 7:44 pm #

GamerZ, if you send me the link to the latest version I’ll make the correction. Thanks.


Vertical Visions :: A Technical Blog about Scripting, Monitoring and so on... on 15 October, 2007 at 5:46 pm #

[…] WP Sicherheitslücken Eine gute zusammenfassung aller aktuell bekannten Sicherheitslücken von Wordpress und Plugins. […]


BlogSecurity » WordPress security getting better? on 16 October, 2007 at 7:52 am #

[…] been a quiet couple of weeks for WordPress vulnerability disclosure. In fact, according to WordPress BlogWatch WP 2.2.3 and Dexter remain vulnerability free - of course, this does not include themes and […]


Problems and Moving House on 3 December, 2007 at 8:39 pm #

[…] his internet for a day so I could sort out the mess - in short… I was using old versions of Wordpress that had vulnerabilities. A very bad idea as these vulnerabilities were being abused by someone or something which caused my […]


BlogSecurity » Blog Archive » Interview with Stefan Esser on 31 December, 2007 at 9:48 am #

[…] WP BlogWatch […]


ITbananas » ארכיון » אבטחת וורדפרס on 20 January, 2008 at 10:14 pm #

[…] ולבסוף נעיין ברשימת חורים באבטחה והתראות לגרסאות וורדפרס שונות: WordPress BlogWatch […]


How to Protect Your WordPress Site » Small Business Trends | small business experts on 6 February, 2008 at 9:31 am #

[…] upgrades seriously — Check this list, and if your WordPress version is one of these with known vulnerabilities, or if you are using […]


Hacked: It Could Never Happen to My Site (Famous Last Words) » Small Business Trends | small business experts on 6 February, 2008 at 9:36 am #

[…] other hackings, I was stunned to discover that there are over a dozen versions of WordPress with known vulnerabilities. With an estimated 2 to 3 million blogs using WordPress, that means a lot of blogs potentially at […]


links for 2008-02-10 oggin.net on 10 February, 2008 at 2:22 am #

[…] BlogSecurity » Blog Archive » WordPress BlogWatch BlogSecurity’s WordPress BlogWatch gives you a central location to check out the latest WordPress Vulnerabilities. In the future, I hope to incorporate this information into a WordPress plugin and alerting system (tags: blog Security wordpress) […]


Webrocker » Wordpress Hackereien on 21 March, 2008 at 10:47 am #

[…] Auf der Seite blogsecurity.net wird regelmässig über neue Lücken berichtet. Die Seite bietet Tools wie den WP-Scanner, mit denen man die Sicherheit der eigenen Installation checken kann und Anleitungen, wie man sein Blog und die php-Einstellungen abdichten kann, sowie eine Liste der Sicherheitslücken in den verschiedenen WP-Versionen. […]


Tobias on 17 April, 2008 at 9:41 pm #

Wird diese Liste immer noch aktualisiert? Die letzten WP2.5-Meldungen finde ich hier noch nicht wieder… Gibt es eine entsprechende Liste irgendwo in Codex? Danke.


Philipp on 18 April, 2008 at 8:12 am #

Hallo Tobias, die Liste wird im Moment nicht aktualisiert. Wird jedoch in kürze durch einen neuen Service ersetzt, welche dann auch die aktuellsten Sicherheitslücken listet und mehr Funktionen bietet.


WordPress » Blog Archive » what is WordPress on 19 April, 2008 at 8:52 am #

[…] ^ BlogSecurity » Blog Archive » WordPress BlogWatch […]


WordPress’a otomatik guncelleme eklentisi | Complexity is the Enemy of Security… on 8 May, 2008 at 8:06 pm #

[…] http://blogsecurity.net/wordpress/blogwatch/blogwatch/ […]


Comment
Name:
Email:
Website:
Message: