WordPress [MU] blog's options overwrite
- Author
- Alexander Concha <alex at buayacorp dot com>
- Affected versions
- WordPress <= 2.3.2 and WordPress MU < 1.3.2
Description
WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability.
WordPress allows any user with manage_options
capability to update directly
any blog's option through wp-admin/options.php
, so this feature can be used to perform (or hide) multiple
attacks where WordPress expects safe data coming from the DB.
This bug is very critical in those sites using WordPress MU, because any user has the manage_options
capability.
Proof of Concept
An exploit that uses active_plugins
option was developed to test the severity of this bug.
Solution
For WordPress MU, upgrade to the latest version (1.3.2).
For WordPress (single version), its developers have postponed the fix for future versions (it won't likely go in 2.5), since by default only Administrators have the manage_options
capability.
Disclosure Timeline
- 08/16/2007 - Bug found
- 12/15/2007 - Vendor contact
- 01/26/2008 - WordPress MU 1.3.2 released
- 02/05/2008 - Public Disclosure