WordPress Vulnerability in Older Versions < 2.8.4

ikonic · #1 12-09-2009, 09:11 AM

There is currently a "new" vulnerability in older versions of Wordpress

WordPress › Support » Question About Possible Hack of Site
Old WordPress Versions Under Attack « Lorelle on WordPress

If you use WordPress and haven't updated it yet then you probably should ASAP

For the techies - essentially non administrators can modify the permalink structure via a post request to the following which causes the php engine to eval or execute the data/arguments passed in by the http referrer.

/%&({${eval(base64_decode($_SERVER[HTTP_REFERER]))}}|.+)&%/

fintan · #2 25-09-2009, 01:52 AM

I've spent the last two days upgrading all my blogs from an old wp version to the latest version, am i correct in saying that there is now an auto update function in wp? As I really don't want to update 50 sites manually again!

ikonic · #3 25-09-2009, 07:44 AM

When you login there should be a link on the main admin screen to check for updates/download and install updates.

HarveyJ · #4 25-09-2009, 08:22 AM

Hasn't WP had an auto-update feature since 2.8.1?
Although it doesn't work if the permissions aren't set correctly...
I know there used to be an auto-update plugin that was amazingly handy.

fintan · #5 25-09-2009, 02:14 PM

Your both right, Im the idiot who didnt look before he started manually updating everything.

spacey · #6 26-09-2009, 06:16 PM

i updated but dont know much about back up files , very pleased to see latest version has theme change options that offers many choices ! ..... goof stuff