If you’re running a WordPress blog on your servers that isn’t version 2.8.4 you’re strongly advised to upgrade immediately to the latest version of the software to avoid an ongoing attack. WordPress.com hosted blogs are not affected.
The issue was first reported by Lorelle on WordPress after it was discovered that an attack is exploiting security holes in previous versions, creating a hidden Admin account and drilling right down to the database level.
Lorelle writes:
There are two clues that your WordPress site has been attacked. There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”
The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account.
All Wordpress users are advised to upgrade to the latest version of WP (2.8.4). Those already affected will likely need to export all content with the built-in XML WordPress exporting utility, uninstall and reinstall WordPress and re-import the content.
5 Responses to “Serious Wordpress Vulnerability Issue”
Leave a Reply
Archives
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- April 2011
- January 2011
- December 2010
- November 2010
- August 2010
- June 2010
- April 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- February 2009
- January 2009
- December 2007
- November 2006
Categories
Our Top Posts
Follow @Web_Forensics
Recent Comments
Tags
Wolfram Alpha
Our Friends
TechnoratiWebsiteForensics
What We Tell The World
- About this server
- The hostname: websiteforensics.com
- This server address: 209.237.150.20
What You Tell The World
- Your IP address: 38.107.179.240
- Your hostname: 38.107.179.240
- Your country domain: .240
- You came from:
- Requested URL: /wordpress/wordpress-vulnerability/
- Browser INFO: CCBot/1.0 (+http://www.commoncrawl.org/bot.html)
September 6th, 2009 at 10:52 am
“Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.” Source: Wordpress.org
September 6th, 2009 at 10:53 am
A firsthand experience : ” Numerous times yesterday I noticed via my web analytics spy that your beloved ReynoldsFTW category pages were being hit by this so-called worm via the strange URL above in (1). Which goes to show it’s pretty prevalent out there! This is not a drill! “
October 5th, 2009 at 9:41 pm
<p>”Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.” Source: <a href=”http://wordpress.org/development/2009/09/keep-wordpress-secure/” rel=”nofollow”>Wordpress.org</a></p>
October 21st, 2009 at 10:57 am
In version 2.8.5 that issue is fixed.
October 21st, 2009 at 6:27 pm
I want to thank you for this great article. It very appreciated for answering our questions about wordpress.
steroids
February 2nd, 2010 at 6:58 am
How to Check the Update Status of Your WordPress Plugins …: WordPress Plugins are especially vulnerable as many … http://bit.ly/9V0yR0
May 24th, 2010 at 7:50 pm
Okay friends, I need some help. I’ve been told I’m running a “vulnerable version or Wordpress” and to update the software.
June 17th, 2010 at 3:49 pm
Apple Update potentially gives older Flash Player plugin:
http://bit.ly/9RZY4M
Get latest version of Flash update:
http://bit.ly/aCzfgT