[wp-hackers] PCI Compliance and Wordpress 2.9.2

Katrina Tustin Katrina at JStreetTech.com
Wed May 19 19:23:28 UTC 2010


Hi,

I am hoping that someone can help us.  We have an e-commerce site as well as a WordPress blog.  We have been unsuccessful in passing PCI compliance due to a security issue with the blog.  This is the error that is received from Security Metrics.  We are running 2.9.2.  Any help would be appreciated.

Synopsis : The remote web server contains a PHP application that is affected by an information disclosure issue. Description : The version of WordPress on the remote host does not properly check for administrative credentials in the 'is_admin()' function in 'wp-includes/query.php'. Using a specially-crafted URL that contains the string 'wp-admin/', an attacker may be able to leverage this issue to view posts for which the status is classified as 'future', 'draft', or 'pending', which would otherwise be available only to authenticated users. See also : http://www.securityfocus.com/archive/1/4 85160/30/0/threaded<http://www.securityfocus.com/archive/1/485160/30/0/threaded> http://trac.wordpress.org/ticket/5487 Solution: Unknown at this time. Risk Factor: Medium  / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N) BID : 26885 Other references : OSVDB:39518, Secunia:28130 [More]

Thank You,

Katrina



More information about the wp-hackers mailing list