Serious WordPress Vulnerability/Exploit Verion 2.0.3 and Below

Find your website's Achilles' Heel

Yes that means all versions including the current version and before, 2.0.4 has not yet been released at the current time.

An exploit has been discovered in the current release of WordPress, affecting WordPress 2.0.3 and below (including 1.5.x) that allows these subscribed users to cause some serious damage.

It’s recommended at present if you are using WordPress to disable the “Anyone can Register” option in your ‘Options’ tab.

It’s also advised you delete any unknown subscribers that haven’t commented or that you don’t know personally.

WordPress developers are aware of this flaw and hopefully it will be fixed in the 2.0.4 release which is imminent.

Leaving it open and letting people sign-up for guest accounts on your WordPress blog could lead to incredibly nasty stuff happening if anybody so desired. And trust me I am not exaggerating this. So don’t wait a second to disable this option and please relay the message.

WordPress dev team has been notified a while back and I dare hope they will soon start acting on it, if only by relaying a similar announcement through the official channel (as well as, of course, releasing a proper patch).

Source: Dr Dave

Posted in: Exploits/Vulnerabilities, Web Hacking

, , , , , , , ,

Recent in Exploits/Vulnerabilities:
- Mirai DDoS Malware Source Code Leaked
- mimikittenz – Extract Plain-Text Passwords From Memory
- Massive Yahoo Hack – 500 Million Accounts Compromised

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 236,133 views
- AJAX: Is your application secure enough? - 120,318 views
- eEye Launches 0-Day Exploit Tracker - 85,799 views


  1. Navaho Gunleg » WordPress users: Disable ‘Anyone can register’! - July 27, 2006

    […] Through Darknet I discovered that apparently a vulnerability has been found in WordPress that could allow evil people to do nasty stuff. Details remain vague though, but according to Dr Dave, one should disable the Anyone can register thingy in the Options of their weblog to prevent the vulnerability being exploited. […]

  2. An Information Security Place » Blog Archive » Serious flaw in Wordpress 2.0.3 and below - July 27, 2006

    […] For my blogging friends out there using WordPress, take serious note of this post from Darknet.  Seems like all versions of WordPress below 2.0.3 are vulnerable (2.0.4 should be coming out very soon) to a flaw in the Subscriber functionality.  If you require people to register before they can comment, then you need to make sure you turn off the “anyone can register” option and delete any subscribers you do not not know personally or who have never posted or have not posted for a long time (personally, I don’t require people to subscribe to comment – you might consider either turning off comments or not requiring membership untiol 2.0.4 comes out). […]

  3. kritikus hiba a wordpress 2.0.3 és régebbi verzióiban - kobak pont org - July 27, 2006

    […] forrás: darknet, dr dave Ezekre klikk, ha menteni akarod a posztot. […]

  4. The Code Cave - July 28, 2006

    […] Thanks to some drastic and controversial actions taken by SpamKarma creator Dr. Dave, a large percentage of the blogging populace has been alerted to a security hole in WordPress. He even went to the effort of activating a warning message that was sent out to everyone who uses his SK2 plugin. This has resulted in a lot of fear spreading amoung a huge number of bloggers. This sort of thing just spreads exponentialy. Here’s a quasi random sampling of two dozen of the first posts on it: ………………….. And these were just from the English blogs that post about this on the same day as the notice going out. The neat thing is that these are some of the most on-top-of-things bloggers out there. Those 24 blogs have some great content and gread visual styles. The are well worth perusing… […]

  5. Security Ripcord » Blog Archive » Site Taken Down For Wordpress Security Problem - July 31, 2006

    […] Some of you may have noticed that the site was down for a couple of days. This was because of an apparent flaw with WordPress. While I was attending the ACUTA conference in San Diego I decided to catch up on the news. I am glad that I did because I noticed that Darknet had an entry about a newly discovered security vulnerability with all versions of WordPress below 2.0.4 . Unfortunately his actual site was down and I was not able to read the full article. So I made a quick judgment call and decided to take the site down until I understood more about what was actually happening. […]

  6. Wordpress 2.0.4 Released - Fixes Security Issues » - July 31, 2006

    […] Secure?- WebScarab – Web Application Analysis – New Version | 1 Views | no comments trackback this article comment on thisarticle […]

  7. ÐÊ£F‡Ñ§ » Blog Archive » Registrazioni disattivate - August 20, 2006

    […] A causa di una pericolosa falla in WordPress sono costretto a dover disabilitare temporanbeamente 8in attesa di una fix per tale bug) le registrazioni. pertanto,non sarà più possibile registrarsi. Maggiori info sul bug QUI […]