Critical Announcement affecting ALL WordPress users
Wednesday, July 26th, 2006 | Filed under WordPressIf you are running WordPress as your blogging platform and if you have been trusting enough to leave User registration enabled for guests, DISABLE IT IMMEDIATELY (in wp-admin >> options: make sure “Anyone can register” is not checked).
Additionally, delete or disable ANY guest account already created by people you are not sure about.
Leaving it open and letting people sign-up for guest accounts on your WordPress blog could lead to incredibly nasty stuff happening if anybody so desired. And trust me I am not exaggerating this. So don’t wait a second to disable this option and please relay the message.
WordPress dev team has been notified a while back and I dare hope they will soon start acting on it, if only by relaying a similar announcement through the official channel (as well as, of course, releasing a proper patch).
Sorry for the shrill hysterical tone, but this is a big deal. However, disable that one option and you are fine, no need to panic further 
[cheers go to Geoff Eby for discovering and bringing this insane security exploit to my attention]
Update: a small follow-up addressing comments and concerns I have received ever since this last warning, is posted here. Feel free to ignore completely unless you really care about inner WordPress politics (yawn).
Update 2: WordPress upgrade 2.0.4 should now patch this bug. If your version of WordPress is equal to or higher than 2.0.4, feel free to ignore the warning above. If not, then you should/MUST upgrade (more details in the comments).
What exactly do oyu mean by “guest?” It isn’t listed as a subscriber type. Do you mean “subscriber,” which is the lowest level of user? Also, to disable it, would I uncheck the “Allow anyone to register” option in the “General” options tab? Sorry, but I’m just a little confused about this problem…
what exactly happens? The reason I ask is that two of my sites (techiecity.net and clearout.info) were hacked just today by some wierd dude. The whole server is down for the count.
I don’t remembering touching that setting in my blog and I don’t have it enabled so I don’t think it’s turned on by default. But thanks for the warning.
If anyone has more details about the vulnerability and what newly registered users can do, please e-mail me privately at [censored]
Note from drD: Removed your email address as it was both seemingly invalid and not likely to get you any helpful info anyway. As I said below, you will have to trust us for now and take the really tiny leap of disabling that option for the time being, until more can be said safely…
@Matthew, you are correct in both cases.
@Patrick, it is disabled by default in newer versions of WP.
Also, this affects 1.5.x users as well.
Great .. finally a life sign of the love-lorn drdave … and it is a message of doom !!!!
So…are you going to update us all via comments here when this flaw has been patched?
It would be nice to have some details on this exploit. My new user default role is “subscriber.” I’m not sure what difference a “subscriber” can make other than to leave comments, which BTW can be done at my site without registration.
Um, great! I dont see anything about this on wordpress.org anywhere ?
Hello all… In a nutshell:
1) what geoff_e said.
2) no, obviously I cannot give you the slightest amount of detail on the exploit. You’ll have to take my word for it (but don’t feel like you have to). It’s been tested and shown to exist with varying levels of danger on *all* versions of WP up to the very last one.
3) wp devs have been notified. I am *not* an official WP dev. Both this announcement and any technical opinion I may have about it are my very own and not in any way representative of the official WP position, response to it or lack thereof (thanks Cthulhu).
4) it is fairly easy to patch, though Lead seem to have had more important priorities at the moment. However, merely releasing the patch is akin to publicly disclose the exploit. Which *must* be done at some point, but hopefully not before as many regular users as possible have heard the message and protected their blog (I trust the simple act of disabling this option is more likely to be done promptly than an actual upgrade).
5) if looking for any official answer, emergency response deployment, reassurance, dismissal or otherwise Party-sanctionned advices, contact WP officials, not me.
Thanks and happy blogging nonetheless…
Where did you get this information?? How do you know about this??
I disabled it in my 4 blogs and deleted a bunch of users that signed up but never left comments.
I’m confused though….
What’s weird is that I actually thought that someone hacked one of my sites yesterday because all of a sudden the comment section stopped working. I had to make a whole new theme for my site because the comments just wouldn’t work! I couldn’t figure out how to fix it. The new theme works fine now, but I thought it was strange. Do you think someone actually hacked my site?!
I am anxious for more information…
drDave, if you think you have found a vulnerability the best thing to do is email security@wordpress.org, not cause a panic with a cryptic blog post. We’re about to put out a release and I haven’t received anything from you so I need to know if this is already fixed in 2.0.4 or not.
Is this a hoax? Who knows.
There are proceedures when you find a security issue. Contacting the upstream author and vendor sec, obtaining CVE ids from Mitre, contacting relevent distribution channels, etc.
Posting scare stories on a blog, no matter how true they may be is not a way to deal with a security issue.
Considering the source .. i have no doubt in trusting this ‘minor panic’ … it is not like drdave is asking to shut down the blog or delete all my porn pics from my hard drive …
The alternative? He informs the proper channels (which I believe he did) and waits for them to act … in the meantime some script happy hacker has deleted my blog … er.. ok .. i go with mild panic if I may …
ta ta
Hello all,
Response to the above comments (and more): here.
Thanx for the heads up.
But why is there nothing on the WordPress web site? Not even in the forums?
And, I don’t seem to have a guest user on my site… (scratches head)….
I saw the update within SpamKarma and appreciate very greatly you bringing this security notice to the WP communities attention. Thanks for the information, action on my part has already been taken!
Noted. I have never enable it anyway. Thanks
Stupid Question Time: In order to get an official fix for my 1.5.x installation(s!!), I’m going to have to upgrade to 2.0.x, aren’t I?
Let me tell you just how absolutely delighted I am at the prospect…
@ GreyDuck:
For users that are not on the latest version, and don’t have any problems muddling through code, it would be possible to find out the changes from 2.0.3 to 2.0.4, and then look to see if the specific change can be applied to your version.
This is assuming that this issue made it into 2.0.4, since it was all but off the shelf when the issue was brought to their attention.
The best bet is to disable registration for a while, and then see what Geoff and Dr. D have to say about whether it is fixed or not. If it is, then proceed. And good luck.
If 2.0.4 does correct the problem, and you are not completely comfortable with PHP, then your option is upgrading your install, or leaving registration off.
Update on the security flaw
The exploit has been, as far as I can tell(*), fixed by the latest 2.0.4 release. You are therefore strongly recommended to (read: you MUST) upgrade to this version.
As for the “users can register” option: enabling it back should be OK.
I personally will leave it off on my blogs, as I just don’t feel like entrusting strangers with access to wp-admin in the current state of the code (I insist that the aforementioned exploit has been fixed now, I am only being paranoid here).
(*) Note that this is only my own very superficial testing of the code released: in no way the word of any official developer. You should all be aware that I have barely any more official knowledge of this than you do, considering Matt’s fondness for the stealth&ignore school of crisis management (basically, if i doesn’t make it on Slashdot, you can bet you’ll never read about it on his blog). As you may have noticed, he has been marvellously low-key about the whole thing (you know, don’t want
investorsusers to “panic” or, god forbid, start suspecting that WP might sometimes have security flaws in it). It also bears pointing out that he has neither contacted me nor replied to my emails in any way other than posting his very helpful comment above.And just to definitely close that chapter of WP’s Incredible Security Adventures by saying I have no regrets whatsoever about releasing this warning, given the way it was otherwise handled by WP officials: 1) deny 2) minimize 3) somewhat acknowledge 4) keep shut 5) release an upgrade that likely won’t be installed by more than 50% of the general public with for only communication a tiny confusing “upgrade announcement” message in the dashboard feed, wedged between two inconsequential WP marketoid news.
facilitating hack a vulnerability ?
Ok.. So finally Kim did post about my exploit…. (our communication on the subject has been via email so far). I’m not too sure if it should be termed a “hack” though, just because if the intention was to hack, I could have very …
[...] Security Alert! Filed under: General Info, Tips & Tricks by Maria on July 26, 2006 Dr Dave, developer of the must-have spam prevention tool, Spam Karma, sent out the following alert message to all Spam Karma users as an announcement in the Spam Karma administration panel: MAJOR SECURITY ANNOUNCEMENT Affecting all WP users (this is not specifically a Spam Karma problem). Please immediately disable ‘guest user registration’ on your blog if it’s enabled and advise all your friends to do so (details here). I cannot give too much technical details as it would further endanger vulnerable WordPress users, but trust me this is not a joke. [...]
[...] Dr Dave, developer of the must-have spam prevention tool, Spam Karma, sent out the following alert message to all Spam Karma users as an announcement in the Spam Karma administration panel: MAJOR SECURITY ANNOUNCEMENT Affecting all WP users (this is not specifically a Spam Karma problem). Please immediately disable ‘guest user registration’ on your blog if it’s enabled and advise all your friends to do so (details here). I cannot give too much technical details as it would further endanger vulnerable WordPress users, but trust me this is not a joke. [...]
[...] Authors of popular plugins for WordPress such as Dr. Dave (Spam Karma) are discontinuing their association with WordPress because of some baby mama drama jamma damma. I didn’t really read through everyones blogs to see what everyones points of views were (the main WordPress developers vs. outside WordPress developers) but it seemed basically like the outside people were not liking the way Matt (co-creator and owner of WP) was handling things or maybe it’s because WP might be doing some evil stuff on the side. I guess everyone has their share of drama – even the nerds. Posted by Eric on Saturday, September 23, 2006 12:50 am (Possibly) Related Posts: [...]
[...] Notre bon docteur Dave, entre autres choses responsables de l’excellent et indispensable plug-in Spam Karma (que votre serviteur préfère à Akismet, en passant) signale une faille de sécurité assez importante pour toutes les versions de WordPress. [...]