MA-175.072009: MyCERT Alert - Wordpress Privileges Unchecked in admin.php and Multiple Information Disclosures 1.0 Introduction Several vulnerabilities have been identified in Wordpress, a free and open source blog publishing application and Content Management System. The vulnerabilities are as the following: - Wordpress Privileges Unchecked in admin.php
- Local file include
- Privileges unchecked
- Cross site scripting
- Information Disclosure Vulnerabilities
2.0 Impact By exploiting these vulnerabilities, an attacker could potentially obtain sensitive information, execute arbitrary code in the browser of an unsuspecting user in the context of the affected site, or control how the site is rendered to the user. In certain situations, it may also be possible for attacker to execute arbitrary code on the affected server. 3.0 Affected Products Below is the details list of vulnerable version: - Wordpress 2.8 and earlier version
- Wordpress MU 2.7.1 and earlier version
4.0 Recommendation MyCERT highly recommends that users of this application upgrade to the latest version of Wordpress (currently Wordpress 2.8.1 RC1). The latest version can be obtained via this URL: http://wordpress.org/download/ MyCERT can be reached at: E-mail : cyber999@cybersecurity.my or mycert@mycert.org.my
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my 5.0 References |
