What exactly do oyu mean by “guest?” It isn’t listed as a subscriber type. Do you mean “subscriber,” which is the lowest level of user? Also, to disable it, would I uncheck the “Allow anyone to register” option in the “General” options tab? Sorry, but I’m just a little confused about this problem…

[...] more details [...]

I don’t remembering touching that setting in my blog and I don’t have it enabled so I don’t think it’s turned on by default. But thanks for the warning.

[...] som helst kan regga sig) bör slå av den omeddelbart enligt Dr. Dave, läs mer här.   [fast länk][trackback] [...]

@Matthew, you are correct in both cases.

@Patrick, it is disabled by default in newer versions of WP.

Also, this affects 1.5.x users as well.

[...] Dr Dave » Blog Archive » Critical Announcement affecting ALL Wordpress users [...]

[...] From Dr. Dave; (permalink) If you are running Wordpress as your blogging platform and if you have been trusting enough to leave User registration enabled for guests, DISABLE IT IMMEDIATELY (in wp-admin >> options: make sure “Anyone can register” is not checked). [...]

[...] Currently I’ve disabled registration for new users after being notified of a critical security problem. I don’t know what the flaw is (unlike Microsoft, Wordpress is choosing not to reveal how their flaws can be exploited before a fix is created), but since I don’t get many guest registrations I figured it couldn’t hurt. I’ll let you know when that feature is turned back on. [...]

So…are you going to update us all via comments here when this flaw has been patched?

[...] halten, was die Kommentare angeht. Man kann aber auch selbst einen Kommentar verfassen, oder ein Trackback von der eigenen Seite ausmachen. [...]

[...] Affecting all WP users (this is not specifically a Spam Karma problem). Please immediately disable ‘guest user registration’ on your blog if it’s enabled and advise all your friends to do so (details here). I cannot give too much technical details as it would further endanger vulnerable Wordpress users, but trust me this is not a joke. [...]

Hello all… In a nutshell:

1) what geoff_e said.

2) no, obviously I cannot give you the slightest amount of detail on the exploit. You’ll have to take my word for it (but don’t feel like you have to). It’s been tested and shown to exist with varying levels of danger on *all* versions of WP up to the very last one.

3) wp devs have been notified. I am *not* an official WP dev. Both this announcement and any technical opinion I may have about it are my very own and not in any way representative of the official WP position, response to it or lack thereof (thanks Cthulhu).

4) it is fairly easy to patch, though Lead seem to have had more important priorities at the moment. However, merely releasing the patch is akin to publicly disclose the exploit. Which *must* be done at some point, but hopefully not before as many regular users as possible have heard the message and protected their blog (I trust the simple act of disabling this option is more likely to be done promptly than an actual upgrade).

5) if looking for any official answer, emergency response deployment, reassurance, dismissal or otherwise Party-sanctionned advices, contact WP officials, not me.

Thanks and happy blogging nonetheless…

[...] More details here . Technorati Tags: WordPress Bookmark Important security announcement affecting ALL WordPress users! at:                                     [...]

[...] According to Dr Dave there is a serious security flaw in all versions of WordPress. His advice is to immediately disable the “anyone can register option” (Go to the admin panel, under Options->General, about half way down the page) to protect yourself in the meantime. [...]

[...] Due to a security exploit found in ALL versions of WordPress, open registration for new accounts has been temporarily suspended until WordPress can come out with a patch. [...]

Where did you get this information?? How do you know about this??

I disabled it in my 4 blogs and deleted a bunch of users that signed up but never left comments.

I’m confused though….

What’s weird is that I actually thought that someone hacked one of my sites yesterday because all of a sudden the comment section stopped working. I had to make a whole new theme for my site because the comments just wouldn’t work! I couldn’t figure out how to fix it. The new theme works fine now, but I thought it was strange. Do you think someone actually hacked my site?!

I am anxious for more information…

Seguridad, WordPress, registro de usuarios y preocupación

ProBlogger se despacha hace menos de una hora con una entrada títulada “Possible WordPress Security Problem” donde Dr Dave hace un anuncio (en mi opinión quizá algo alarmista) llamado “Critical Announcement affecting ALL Wordpress …

[...] You are also advised to delete all Guest users or any users that you do not know personally, details about this exploit can be read at Dr Dave blog. [...]

如果用WordPress,那么要小心了

如果你用了wordpress,请马上禁用掉任何人可注册选项(管理后台->Options->去掉Anyone can register选项前面的勾).然后检查一下已注册的用户是否有可疑,如果可疑请删除.Leaving it open and letting people s…

Sicherheitslücke?

Offenbar gibt’s ein über-böses Sicherheitsloch in Wordpress, wenn die Benutzerregistrierung aktiviert ist, wie ich von Dr Dave gelernt habe. Da ich ihm glaube, ist also bis auf weiteres keine Registrierung mehr möglich. Dies ist aber kein Pr…

[...] can swallow a pint of blood before you get sick. « Le Grand bleu WP Probs Dr Dave mentioned the wp users should immediately disable the “anyone can register” ,due to his point, it could cause “your wp blog could lead to incredibly nasty stuff happening if anybody so desired”. read more at dr dave. blog, dr dave, incredibly, lead, nasty, register, stuff, updates and news [...]

[...] I have disabled new guest accounts due to this security problem. I don’t have many guest accounts so I’m not going to delete them for now. [...]

[...] The details of the exploit have not been publicly released yet to give people time to defend against the exploit before a patch is released. I highly recommend you read the details. [...]

[...] Notre bon docteur Dave, entre autres choses responsables de l’excellent et indispensable plug-in Spam Karma (que votre serviteur préfère à Akismet, en passant) signale une faille de sécurité assez importante pour toutes les versions de WordPress. [...]

[...] See Dr Dave » Blog Archive » Critical Announcement affecting ALL Wordpress users [...]

[...] slått av – sikkerhetsfeil ved WordPress (0) Kommentarer – TrackBack Det har blitt oppdaget en større sikkerhetsrisiko i WordPress, – dette gjelder alle blogger somlar brukerne registrere seg selv. [...]

Is this a hoax? Who knows.

There are proceedures when you find a security issue. Contacting the upstream author and vendor sec, obtaining CVE ids from Mitre, contacting relevent distribution channels, etc.

Posting scare stories on a blog, no matter how true they may be is not a way to deal with a security issue.

[...] Coming direct from the blog of Dr Dave (the evil genius behind anti spam plugin Spam Karma), he reports on a critical flaw that has been discovered in WordPress that can allow very bad things to happen: [...]

Hello all,

Response to the above comments (and more): here.

[...] Dr Dave is warning of a recently discovered security risk affecting ALL users on ALL VERSIONS of Wordpress If you are running Wordpress as your blogging platform and if you have been trusting enough to leave User registration enabled for guests, DISABLE IT IMMEDIATELY (in wp-admin >> options: make sure “Anyone can register” is not checked). [...]

[...] Article Link [...]

[...] Sicherheitsalarm. Gerade schneite hier über die Benachrichtigungsfunktion von SpamKarma2 eine Sicherheitswarnung herein. Dr. Dave warnt hier sehr deutlich vor einer allzu offenen Benutzerregistrierung: If you are running Wordpress as your blogging platform and if you have been trusting enough to leave User registration enabled for guests, DISABLE IT IMMEDIATELY (in wp-admin >> options: make sure “Anyone can register” is not checked). [...]

[...] If you use Wordpress and have checked “permit guest users” under options, uncheck that option now. Why do this? Because Dr. Dave “The Unknown Genius” who wrote SpamKarma is suggesting all Wordpress useres do this as a precautionary measure while the real Wordpress gurus patch a security bug. [...]

[...] Genauere Details über den Exploit gibts (noch) nicht. Hier klicken für den ganzen Artikel. [...]

[...] WordPress Guest Registration Security Concern I was reading through my RSS Feeds today, and Darren Rowse mentioned that there was a security concern pointed out to him from Dr Dave regarding a feature of WordPress that allows guests to the site to register as users on the site. [...]

[...] 剛剛整理 blog 時看到 Spam Karma 2的 critical announcement, 說要把 User Registration 的功能關掉, 以免麻煩. [...]

[...] Lord Misha has informed the blogorandomgeometricshape that WordPress sites with open registration. Apparently that leaves sites vulnerable to undisclosed nastiness. By Imperial Decree, kinda, registration is now closed. I also deleted the profiles of people I didn’t recognize. If deleted you by mistake, send me an e-mail, and I will re-register you. Also, if you would like to be registered, send me an e-mail, and I will take care of it. Thanks. [...]

[...] forrás: darknet, dr dave Ezekre klikk, ha menteni akarod a posztot. [...]

[...] Vse kar vam je storiti je to, da odklikate v admin sekcijo Options > General > Membership, odznačite opcijo “Anyone can register” in tako bo bojda vse v najlepšem redu do popravka. Bom pa zadevo spremljal in vas obvestil kako in kaj… Drugače si pa preberite tole in tole. [...]

[...] Dr Dave » Critical Announcement affecting ALL Wordpress users [...]

[...] Thanks to some drastic and controversial actions taken by SpamKarma creator Dr. Dave, a large percentage of the blogging populace has been alerted to a security hole in WordPress. He even went to the effort of activating a warning message that was sent out to everyone who uses his SK2 plugin. This has resulted in a lot of fear spreading amoung a huge number of bloggers. This sort of thing just spreads exponentialy. Here’s a quasi random sampling of two dozen of the first posts on it: ………………….. And these were just from the English blogs that post about this on the same day as the notice going out. The neat thing is that these are some of the most on-top-of-things bloggers out there. Those 24 blogs have some great content and gread visual styles. The are well worth perusing… [...]

[...] Looks like according to Dr Dave of Spam Karma an security hole or hack using guest accounts on Wordpress. You’re severely recommended to goto ‘Options’ in your control panel and unclick ‘Anyone can register’ for the moment. [...]

[...] Critical Announcement affecting ALL Wordpress users: If you are running Wordpress as your blogging platform and if you have been trusting enough to leave User registration enabled for guests, DISABLE IT IMMEDIATELY (in wp-admin >> options: make sure “Anyone can register” is not checked). Additionally, delete or disable ANY guest account already created by people you are not sure about. [...]

[...] Dr Dave of Spam Karma fame warns of a potential security risk: If you are running Wordpress as your blogging platform and if you have been trusting enough to leave User registration enabled for guests, DISABLE IT IMMEDIATELY (in wp-admin >> options: make sure “Anyone can register” is not checked). [...]

[...] July Administrator09:35 amAdd comment I don’t believe there is anything in the wild, but Dr. Dave (of famed Spam Karma – of which I’m a big fan) has seen a proof of concept for it. He said that Geoff Eby, an acquaintance of his, showed him a proof of concept that was “insane.” So, I’m guessing by his word choice that this is very serious. There is probably some way to escalate privilege or something. In any case, here’s what you need to know to make sure you aren’t victimized. [...]

Noted. I have never enable it anyway. Thanks

User Registration Temporarily Disabled

Due to a security exploit found in ALL versions of WordPress, open registration for new accounts has been temporarily suspended until WordPress can come out with a patch.
In addition, all users that had registered here but never left a comment have bee…

[...] If you use registration (like I do), you should turn it off. More here. [...]

Stupid Question Time: In order to get an official fix for my 1.5.x installation(s!!), I’m going to have to upgrade to 2.0.x, aren’t I?

Let me tell you just how absolutely delighted I am at the prospect…

[...] Texto Original: Critical Announcement Affecting All WordPress Users [...]

[...] SNAKES!!!! Published Luglio 29th, 2006 in E-life Pare ci sia un bug estremamente critico per WP. Almeno secondo DrDave. Per questo mi sono trovata costretta a disabilitare la sottoscrizione automatica per i nuovi utenti. Essendo niubbissima di WP no so esattamente che cosa questo significhi… non credo cambi molto rispetto a prima, ma se per caso ci fossero problemi nel commentare (eventualmente) i miei articoli, fatemelo sapere scrivendo a strixowl (chiocciola) gmail (punto) com. [...]

@ GreyDuck:

For users that are not on the latest version, and don’t have any problems muddling through code, it would be possible to find out the changes from 2.0.3 to 2.0.4, and then look to see if the specific change can be applied to your version.

This is assuming that this issue made it into 2.0.4, since it was all but off the shelf when the issue was brought to their attention.

The best bet is to disable registration for a while, and then see what Geoff and Dr. D have to say about whether it is fixed or not. If it is, then proceed. And good luck.

If 2.0.4 does correct the problem, and you are not completely comfortable with PHP, then your option is upgrading your install, or leaving registration off.

Update on the security flaw

The exploit has been, as far as I can tell(*), fixed by the latest 2.0.4 release. You are therefore strongly recommended to (read: you MUST) upgrade to this version.

As for the “users can register” option: enabling it back should be OK.
I personally will leave it off on my blogs, as I just don’t feel like entrusting strangers with access to wp-admin in the current state of the code (I insist that the aforementioned exploit has been fixed now, I am only being paranoid here).

(*) Note that this is only my own very superficial testing of the code released: in no way the word of any official developer. You should all be aware that I have barely any more official knowledge of this than you do, considering Matt’s fondness for the stealth&ignore school of crisis management (basically, if i doesn’t make it on Slashdot, you can bet you’ll never read about it on his blog). As you may have noticed, he has been marvellously low-key about the whole thing (you know, don’t want investors users to “panic” or, god forbid, start suspecting that WP might sometimes have security flaws in it). It also bears pointing out that he has neither contacted me nor replied to my emails in any way other than posting his very helpful comment above.

And just to definitely close that chapter of WP’s Incredible Security Adventures by saying I have no regrets whatsoever about releasing this warning, given the way it was otherwise handled by WP officials: 1) deny 2) minimize 3) somewhat acknowledge 4) keep shut 5) release an upgrade that likely won’t be installed by more than 50% of the general public with for only communication a tiny confusing “upgrade announcement” message in the dashboard feed, wedged between two inconsequential WP marketoid news.

[...] Una nueva versión de Wordpress ha salido para poder ser descargada, en esta versión se corrigen más de 50 bugs de la versión anterior, incluyendo un grave problema de seguridad anunciado hace pocos días. [...]

[...] Najwyrazniej jakis paskudny bug w kodzie: http://unknowngenius.com/blog/archives/2006/07/26/critical-announcement-to-all-wordpress-users/ Nawet nie uzywajac trzeba uwazac. Skandal. [...]

[...] Se ha deshabilitado temporalmente el registro de usuarios nuevos, hasta que se actualize la instalación de Wordpress. Esto debido a un bug en versiones anteriores del propio Wordpress. [...]

[...] Updated to the latest Wordpress (v2.0.4) to take care of some security issues and various other bugs. I figured that with the update of code I’d try to freshen up the site with a new theme. Being me, it doesn’t work completely proper with the initial install and is going to require some tweeking. I’ll be working on that over the next couple days. Also, IE7 Beta3 likes to throwup when trying to connect to the site claiming there’s a DNS error even though Firefox works just fine. Yay beta! [...]

[...] Allegedly there is some kind of problem with open registration on Wordpress blogs. Better safe than sorry – make sure you’ve turned off the anyone can register option. [...]

[...] WE have reactivated user registration after upgrading to WordPress version 2.0.4 last week. We had to temporarily disable the feature after Dr. Dave, Spam Karma creator, alerted bloggers using WordPress to a potential security issue. The recent upgrade has patched this bug. [...]

[...] Източник
Малко повече информация по въпроса [...]

[...] I’ve been noodling around with the idea of a Free For All Friday on Slacker Manager, just to see what would show up. I was gonna do it tomorrow, but then I noticed that maybe it’s not such a good idea. Guess we’ll stay on lockdown around here for now. You can still comment, though. [...]

[...] The exploit used was described about three weeks ago (July 27th, 2006) when Dr. Dave published his “Critical Announcement affecting ALL Wordpress Users.”  All in all, it was a fairly stern warning.  I would have upgraded to a newer version of Wordpress but couldn’t because I was travelling: If you are running Wordpress as your blogging platform and if you have been trusting enough to leave User registration enabled for guests, DISABLE IT IMMEDIATELY (in wp-admin >> options: make sure “Anyone can register” is not checked). [...]

[...] Security Alert! Filed under: General Info, Tips & Tricks by Maria on July 26, 2006 Dr Dave, developer of the must-have spam prevention tool, Spam Karma, sent out the following alert message to all Spam Karma users as an announcement in the Spam Karma administration panel: MAJOR SECURITY ANNOUNCEMENT Affecting all WP users (this is not specifically a Spam Karma problem). Please immediately disable ‘guest user registration’ on your blog if it’s enabled and advise all your friends to do so (details here). I cannot give too much technical details as it would further endanger vulnerable Wordpress users, but trust me this is not a joke. [...]

[...] Authors of popular plugins for WordPress such as Dr. Dave (Spam Karma) are discontinuing their association with WordPress because of some baby mama drama jamma damma. I didn’t really read through everyones blogs to see what everyones points of views were (the main WordPress developers vs. outside WordPress developers) but it seemed basically like the outside people were not liking the way Matt (co-creator and owner of WP) was handling things or maybe it’s because WP might be doing some evil stuff on the side. I guess everyone has their share of drama – even the nerds. Posted by Eric on Saturday, September 23, 2006 12:50 am (Possibly) Related Posts: [...]