WordPress <= 3.0.1 Authenticated SQL Injection
WordPress 2.x – 3.0.1 is vulnerable to an authenticated SQL injection 0day. A lack of proper input validation in the do_trackbacks() function of wp-includes/comment.php allows any logged-in user with publish_posts and edit_published_posts privileges (Author group) to execute arbitrary SELECT SQL queries on the database.
This vulnerability can be exploited by entering a specially-crafted string into the Send Trackbacks field when editing a post. The effect of exploitation is that the user may be able to extract arbitrary information, such as usernames and password hashes, from the database.
What this means to WordPress users:
- If you are the only user (post author) on your blog, then you don’t have to worry.
- If you have other users Author privileges, then they could use this to extract information from your database (including your password hash).
- You can temporarily mitigate this by revoking Author privileges from any users you don’t fully trust.
- All WordPress users are encouraged to update to version 3.0.2 which patches this vulnerability.
See this post for full details.