Urgent Wordpress security update released

Fri, 8th February 2008, 16:37

Wordpress issued an "urgent security update" on Tuesday, moving to version 2.3.3. Most WP users are probably aware of this through Wordpress' Dashboard. There is a vulnerability with xmlrpc.php. If you haven't done the update, you should jump on it immediately. You can just install the security fix, downloading then overwriting xmlrpc.php on your server. If you are interested in the bug fixes you can just fully upgrade. From Secunia's description:


A vulnerability has been reported in WordPress, which can be exploited by malicious users to bypass certain security restrictions and to manipulate data.

The xmlrpc.php script does not properly restrict access to the edit functionality. This can be exploited to edit other users' posts.

Successful exploitation requires valid user credentials.

The vulnerability is reported in version 2.3.2. Prior versions may also be affected.

The announcement also mentions there is a serious exploit in the WP-Forum plugin, they recommend removing it until an update is available. This exploit allows malicious users to conduct SQL attacks. From the article:


This vulnerability when exploited successfully allows the individual to retrieve usernames, password hashes, and email addresses for all users, including administrators. However, the user has to have knowledge of the proper database table prefix. This vulnerability has been confirmed in version 1.7.4 which is currently the most recent version available for download.

Note they do not say to disable it, they tell you to remove it.

I wish there was a security clearinghouse for Wordpress Plugins. I was completely unaware of the WP-Forum exploit, and it was announced January 21st. It is a very serious exploit, as you can see. I check through the plugin administration page for updates to plugins and install them, it had (sadly) never occurred to me to check for security issues that aren't addressed. This would be something nice to see in Wordpress' Dashboard, a lot more useful to me than “hoodies available!” announcements.

How seriously do you take your site's security? Do you install these updates immediately? Do you check the security status of your plugins? If so, where? Please comment and let us know.