Add to Google Reader, Bloglines, Netvibes

2


Jan

Wordpress template.php Exploit Discovered

A Cross-site scripting (XSS) vulnerability has been in found in wp-admin/template.php which could allow malicious web users to inject arbitary web scripts or HTML code through the file parameter.

This exploit could allow remote attackers to do nasty things by injecting php or html codes into your wordpress core files.

Vulnerable versions of Wordpress:

  • WordPress, 2.0.5
  • WordPress, 2.0.4
  • WordPress, 2.0.3
  • WordPress, 2.0.2
  • WordPress, 2.0.1
  • WordPress, 2.0
  • WordPress, 1.5.
  • WordPress, 1.5.1.3
  • WordPress, 1.5.1.2
  • WordPress, 1.5.1
  • WordPress, 1.5
  • WordPress, 1.2.2
  • WordPress, 1.2.1
  • WordPress, 1.2
  • WordPress, 0.71
  • WordPress, 0.7
  • Wordpress, (B2) 0.6.2.1
  • Wordpress, (B2) 0.6.2

The simplest way to fix this exploit would be to download the patched version of template.php and then replace it with your exiting wp-admin/template.php

Read more about this exploit on Operation N or Security Focus

Wordpress is a powerful blogging script, I’m sure lots of you might be blogging using Wordpress. Don’t wait any longer, go patch your template.php file now.

Thanks for the tip Ashish, Phalgun



* Written by Thilak | Share This | * 17 Comments »

17 Comments and Trackbacks (Add Your Own)

Pages: [1] 2 3 »

  1. MyAvatars 0.2
    Phalgun
    wrote, on January 2nd, 2007

    Thanks Thilak to add my name.

  2. MyAvatars 0.2
    Rishi
    wrote, on January 2nd, 2007

    Thanks for the update!

    Is there any problem if we didnt replace the file?

  3. MyAvatars 0.2
    TechnoBeta Blog
    wrote, on January 2nd, 2007

    [...] To learn more about this vulnerability, visit Operation N or Security Focus. Report via Tech-Buzz. [...]

  4. MyAvatars 0.2
    Thilak
    wrote, on January 3rd, 2007

    Rishi: No, there won’t be a problem unless you are spotted by some attacker

  5. MyAvatars 0.2
    Garry Conn
    wrote, on January 3rd, 2007

    Thilak,

    What concerns me the most is that Wordpress.org hasn’t released anything about this yet. There isn’t anything posted on their blog and no official fixes. What more do you know about this and do you think that Wordpress.org knows about this?

  6. MyAvatars 0.2
    Zealios[dot]Net » Blog Archive » Wordpress Exploit.
    wrote, on January 3rd, 2007

    [...] Thanks to Tech-Buzz. [...]

  7. MyAvatars 0.2
    Perfect Blogger
    wrote, on January 3rd, 2007

    Security Alert: templates.php XSS vulnerability in WordPress

    Thanks to Thilak of TechBuzz, I’ve just learned about wp-admin/templates.php (part of your WordPress administration functionality) seems to be vulnerable to a rather nasty XSS exploit.

  8. MyAvatars 0.2
    Ajay
    wrote, on January 3rd, 2007

    You mean existing… not exiting ;)

Pages: [1] 2 3 »

Leave a Reply

Grab our RSS feed.

Updates straight to your inbox.