WordPress 2.5.1 Malicious File Execution

Posted by Philipp

May 31, 2008

CWH Underground have published an advisory regarding a malicious file execution vulnerability in WordPress 2.5.1.

We do not quite follow this advisory. The vulnerability discusses the idea of uploading a PHP backdoor onto a WordPress blog via the upload file facility, or via the plugin edit facility. I don’t think this is really a WordPress issue but rather the correct functionality of WordPress.

We have discussed before in our WordPress Whitepaper that the file upload facility should be restricted to trusted users only. We also recommend you reading our Role Management post.

Advisories, WordPress

Random Posts

If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Comments

Comment by Joseph Scott on June 2, 2008 @ 6:44 pm

When the first requirement is to have and administrator username and password, it’s hard to consider it much of an issue.

Comment by Abel Cheung on June 2, 2008 @ 10:20 pm

Yes, I do agree with this conclusion as well. It all seems the advisory can be translated into one single sentence: if you blindly trust people and give them admin access, then you are b0rked.

WordPress 2.5.1 Malicious File Execution

Random Posts

Comments

Leave a comment

Search

Archives

Categories

Recent Posts

Secure WordPress

Have your say!