[wp-hackers] Moved from BlogWare to WordPress - Need Help

Mark Jaquith mark.wordpress at txfx.net
Sat May 20 09:55:39 GMT 2006

On May 20, 2006, at 5:39 AM, Chris Pirillo wrote:

>  On the backend of the plugin, the /wp-config, and the
> /wp-admin/admin.php scripts are included in the main script. If the  
> person
> trying to edit a post isn't an admin, and isn't logged in, then the  
> backend
> scripts will not work.  There is no way around it.

Would rather not outline exactly how to get around it on a public  
forum... but the way I read the code, there is more than one way  
around it, and the damage might not be limited to vandalism on a post- 
by-post basis... I see a possible SQL injection point.

I'll contact Sean directly, but I'd advise disabling the plugin in  
the meantime.
Mark Jaquith

More information about the wp-hackers mailing list