Skip to content

Posts tagged ‘authenticated’


WordPress <= 3.0.1 Authenticated SQL Injection 0day [Patched]

WordPress 2.x – 3.0.1 is vulnerable to an authenticated SQL injection 0day. A lack of proper input validation in the do_trackbacks() function of wp-includes/comment.php allows any logged-in user with publish_posts and edit_published_posts privileges (Author group) to execute arbitrary SELECT SQL queries on the database.

This vulnerability can be exploited by entering a specially-crafted string into the Send Trackbacks field when editing a post. The effect of exploitation is that the user may be able to extract arbitrary information, such as usernames and password hashes, from the database.

What this means to WordPress users:

  1. If you are the only user (post author) on your blog, then you don’t have to worry.
  2. If you have other users Author privileges, then they could use this to extract information from your database (including your password hash).
    • You can temporarily mitigate this by revoking Author privileges from any users you don’t fully trust.
    • All WordPress users are encouraged to update to version 3.0.2 which patches this vulnerability.

See this post for full details.