WordPress PHP Code Injection Vulnerability

Rgod has discovered a vulnerability in WordPress, which can be exploited by malicious users to compromise a vulnerable system. Input passed to various fields when registering or updating the user profile isn’t properly sanitised before being stored in PHP laptop battery scripts in the wp-content/cache/userlogins/ and wp-content/cache/users/ directories inside the web root. This can be exploited to inject and execute arbitrary PHP code via the pass drug test newline character. It is also possible to supply a spoofed IP address when registering by setting the “PC_REMOTE_ADDR” HTTP header. The vulnerability has been confirmed in version 2.0.2. Other versions may also be affected. Solution: Restrict web access to the wp-content/cache/userlogins/ and wp-content/cache/users/ directories (e.g. with a .htaccess file). Read More

How To Blog - How To Podcast

WordPress PHP Code Injection Vulnerability