[wp-hackers] Another 'WP + SQL injection' post

Robert Deaton false.hopes at gmail.com
Wed Oct 19 16:26:47 GMT 2005

I just double checked, and as far as I can see, this is true, and I do
remember a ton of posts on the forums and even a few on the old bug
tracker on not necessarily SQL injection but it failing to post
because people had a slash or two in their code

On 10/19/05, Podz <podz at tamba2.org.uk> wrote:
> "Okay, this is a major concern for anyone with 'posting by email enabled'.
> The warned you that giving out your address is a problem because other
> people can post to your blog. That isn't all there is.
> In at least my current version of wordpress (1.5.2), the wp-mail.php
> page does not sanatize the input received and this leaves your database
> open the sql insertion.
> Because the layout of the database is easily discovered as a wordpress
> data base, hackers could add themselves, remove you, or perform any
> other data base function.
> Also, this has the unfortunate side effect of preventing emails
> containing certain punctuation from being put into the data base(think
> quotations) and thuse never getting out of your pop3 box until you
> delete them.
> If this hasn't already been addressed in more recent versions, it needs
> to be. "
> http://wordpress.org/support/topic/47321
> Would someone mind squashing this in the forums please ?
> P.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

--Robert Deaton

More information about the wp-hackers mailing list