Serious Security Vulnerabilities of WordPress 1.5.1.2 and below

August 7th, 2008 WordPress wins the dubious distinction of Mass 0wnage Pwnie Award for an unbelievable number of WordPress vulnerabilities, over 140 as of today. It seems like hardly a week goes by without a new vulnerability in WordPress or one of its many plugins.

July 5th, 2005 PHPXMLRPC aka XML-RPC For PHP is a PHP implementation of the XML-RPC, web RPC protocol, and was originally developed by Edd Dumbill of Useful Information Company. As of the 1.0 stable release, the project has been opened to wider involvement and moved to SourceForge.

June 20th, 2005 I looked at the proposed feature set summary for WordPress 1.6. Mostly UI changes, few extra plugin hooks etc.

July 8th, 2005 After recent reports of several critical security vulnerabilities of PHP based software. I decided to take a closer look at the current state of security with PHP based products.

May 28th, 2005 WordPress team has come up with yet another security fix (1.5.1.2), which fixes the fix (1.5.1.1), which fixes the fix (1.5.1), which is a fix for undisclosed security defects in WordPress 1.5. Update: Now it should read: WordPress team has come up with yet another security fix (1.5.1.3) which fixes the (yet another undisclosed security risk) fix(1.5.1.2), which fixes the fix (1.5.1.1), which fixes the fix (1.5.1), which is a fix for undisclosed security defects in WordPress 1.5.

November 13th, 2008 We are very happy to announce the much-awaited release of Angsuman's Wordpress Guard Plugin. It is a must-have Wordpress security plugin (compatible with all versions of Wordpress and tested upto version 2.6.3) that protects the vulnerable areas of your blog from outside access with an additional layer of security.

May 3rd, 2006 The security vulnerabilities addressed are: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information and Denial of Service. Ubuntu has issued an update for thunderbird.

June 30th, 2005 WordPress developers have posted yet another "security" update. Again, as always, you have to delete everything (except wp-content/ and config.php) and re-install from scratch.

June 12th, 2005 I was unable to send trackbacks and pingbacks after I tested with WordPress 1.5.1.2. I found the solution yesterday.

March 27th, 2008 WordPress Trac says: Milestone 2.5 Due in 22 years (04/01/30). Read on for more details.

July 31st, 2006 WordPress 2.0.4 is available for download. This release contains several important security fixes, so it’s recommended upgrade for all users.

March 10th, 2006 WordPress released yet another security release 2.0.2 fixing (yet again) unannounced XSS security bugs. I have not upgraded any of my blogs to 2.x release.

January 11th, 2007 While WordPress 2.0.6 is still hot a serious security defect (SQL injection attack) was found and fixed in WordPress 2.0.7, which is currently available as RC1 (release candidate 1). The key defects fixed are: Security defect Worked around a PHP bug for PHP 4.x less than 4.4.3 and PHP 5.x less than 5.1.4 with register_globals ON that could potentially lead to SQL injection and other security breaches.

June 1st, 2006 The new features / fixes are: Small performance enhancements Movable Type / Typepad importer fix Enclosure (podcasting) fix Bugtraq reported issue & backporting of security enhancements from 2.1 (nonces) Misc. fixes etc....

July 31st, 2008 Pligg is a popular Digg clone. This week has been a stressful week for many Pliggers due to a security vulnerability discovered and exploited by a few hackers.