By Thilak January 2, 2007

Wordpress template.php Exploit Discovered

A Cross-site scripting (XSS) vulnerability has been in found in wp-admin/template.php which could allow malicious web users to inject arbitary web scripts or HTML code through the file parameter.

This exploit could allow remote attackers to do nasty things by injecting php or html codes into your wordpress core files.

Vulnerable versions of Wordpress:

  • WordPress, 2.0.5
  • WordPress, 2.0.4
  • WordPress, 2.0.3
  • WordPress, 2.0.2
  • WordPress, 2.0.1
  • WordPress, 2.0
  • WordPress, 1.5.
  • WordPress, 1.5.1.3
  • WordPress, 1.5.1.2
  • WordPress, 1.5.1
  • WordPress, 1.5
  • WordPress, 1.2.2
  • WordPress, 1.2.1
  • WordPress, 1.2
  • WordPress, 0.71
  • WordPress, 0.7
  • Wordpress, (B2) 0.6.2.1
  • Wordpress, (B2) 0.6.2

The simplest way to fix this exploit would be to download the patched version of template.php and then replace it with your exiting wp-admin/template.php

Read more about this exploit on Operation N or Security Focus

Wordpress is a powerful blogging script, I’m sure lots of you might be blogging using Wordpress. Don’t wait any longer, go patch your template.php file now.

Thanks for the tip Ashish, Phalgun

Related Posts that you may like:

Discussion

Comments for “Wordpress template.php Exploit Discovered”

  • Thanks Thilak to add my name.
  • Thanks for the update!

    Is there any problem if we didnt replace the file?
  • Rishi: No, there won't be a problem unless you are spotted by some attacker
  • Thilak,

    What concerns me the most is that Wordpress.org hasn't released anything about this yet. There isn't anything posted on their blog and no official fixes. What more do you know about this and do you think that Wordpress.org knows about this?
  • You mean existing... not exiting ;)
blog comments powered by Disqus

Welcome to TechBuzz

TechBuzz is a technology blog read by 3000+ readers every day. We regularly write about new trends in technology, useful computer application and new web services. If you are new here, please subscribe our feed or opt for email updates to get new articles to your inbox.

Free Daily Updates

You can get fresh daily articles delivered straight to your feed reader or email inbox. Please subscribe to our RSS feed or opt for our free newsletter

Recent Posts

Ixquick. Ixquick allows users to surf the web with complete privacy. It let’s users surf the world wide web safely without revealing any personally identifiable or private information to the websites being viewed.

Ixquick is a free service which provides complete anonymity to the user enabling the user to surf the internet anonymously and safely. They claim it to be world’s most private search engine.

Surf The Internet Anonymously With Ixquick!

Surf The Internet Anonymously With Ixquick!
January 28, 2010
By Meghan
Apple iPad Unveiled
Apple iPad Unveiled
January 28, 2010
By Meghan
Happy New Year!
Happy New Year!
January 1, 2010
By Meghan
WordPress Version 2.9 Is Out!
WordPress Version 2.9 Is Out!
December 19, 2009
By Meghan
Lunascape 6 Orion: World’s Only Triple Engine Browser
Lunascape 6 Orion: World’s Only Triple Engine Browser
December 13, 2009
By Meghan