[wp-hackers] [Full-disclosure] Possible Code Execution vulnerability in WordPress ?

Claude Needham gxxaxx at gmail.com
Thu Jul 28 15:11:53 UTC 2011

On Sun, Jul 3, 2011 at 8:23 AM, Andrew Nacin <wp at andrewnacin.com> wrote:
> On Sun, Jul 3, 2011 at 11:21 AM, Marc Manthey <marc at let.de> wrote:
>> thanks , but  they do nothing else then set the ticket to "invalid" ?
>> http://core.trac.wordpress.org/ticket/17969#comment:4
>> and dont respond on emails ?
> It's been less than three hours. Give us a break.

I doubt much happens with this ticket in any case.
In reading the http://seclists.org/fulldisclosure/2011/Apr/535 article
it appears that the big vulnerability is the fact that admins could
upload php code to their own wordpress site.  One shudders to think
about the possibilities for exploiting your own site if you have ftp

Seems a little like a security risk on *your* wall safe because *you*
know the combination.

Admittedly most hacked wordpress sites are caused by the admin doing
something silly or neglecting to do something important. However, I
don't think the solution is to remove the admin ability to either edit
template code, or block downloading and installing plugins.

I must be missing something, cause it sure looks like April 1.


More information about the wp-hackers mailing list