Critical Announcement affecting ALL WordPress users

If you are running WordPress as your blogging platform and if you have been trusting enough to leave User registration enabled for guests, DISABLE IT IMMEDIATELY (in wp-admin >> options: make sure “Anyone can register” is not checked).

Additionally, delete or disable ANY guest account already created by people you are not sure about.

Leaving it open and letting people sign-up for guest accounts on your WordPress blog could lead to incredibly nasty stuff happening if anybody so desired. And trust me I am not exaggerating this. So don’t wait a second to disable this option and please relay the message.

WordPress dev team has been notified a while back and I dare hope they will soon start acting on it, if only by relaying a similar announcement through the official channel (as well as, of course, releasing a proper patch).

Sorry for the shrill hysterical tone, but this is a big deal. However, disable that one option and you are fine, no need to panic further 🙂

[cheers go to Geoff Eby for discovering and bringing this insane security exploit to my attention]

Update: a small follow-up addressing comments and concerns I have received ever since this last warning, is posted here. Feel free to ignore completely unless you really care about inner WordPress politics (yawn).

Update 2: WordPress upgrade 2.0.4 should now patch this bug. If your version of WordPress is equal to or higher than 2.0.4, feel free to ignore the warning above. If not, then you should/MUST upgrade (more details in the comments).

126 comments

  1. @ GreyDuck:

    For users that are not on the latest version, and don’t have any problems muddling through code, it would be possible to find out the changes from 2.0.3 to 2.0.4, and then look to see if the specific change can be applied to your version.

    This is assuming that this issue made it into 2.0.4, since it was all but off the shelf when the issue was brought to their attention.

    The best bet is to disable registration for a while, and then see what Geoff and Dr. D have to say about whether it is fixed or not. If it is, then proceed. And good luck.

    If 2.0.4 does correct the problem, and you are not completely comfortable with PHP, then your option is upgrading your install, or leaving registration off.

  2. Update on the security flaw

    The exploit has been, as far as I can tell(*), fixed by the latest 2.0.4 release. You are therefore strongly recommended to (read: you MUST) upgrade to this version.

    As for the “users can register” option: enabling it back should be OK.
    I personally will leave it off on my blogs, as I just don’t feel like entrusting strangers with access to wp-admin in the current state of the code (I insist that the aforementioned exploit has been fixed now, I am only being paranoid here).

    (*) Note that this is only my own very superficial testing of the code released: in no way the word of any official developer. You should all be aware that I have barely any more official knowledge of this than you do, considering Matt’s fondness for the stealth&ignore school of crisis management (basically, if i doesn’t make it on Slashdot, you can bet you’ll never read about it on his blog). As you may have noticed, he has been marvellously low-key about the whole thing (you know, don’t want investors users to “panic” or, god forbid, start suspecting that WP might sometimes have security flaws in it). It also bears pointing out that he has neither contacted me nor replied to my emails in any way other than posting his very helpful comment above.

    And just to definitely close that chapter of WP’s Incredible Security Adventures by saying I have no regrets whatsoever about releasing this warning, given the way it was otherwise handled by WP officials: 1) deny 2) minimize 3) somewhat acknowledge 4) keep shut 5) release an upgrade that likely won’t be installed by more than 50% of the general public with for only communication a tiny confusing “upgrade announcement” message in the dashboard feed, wedged between two inconsequential WP marketoid news.

  3. Pingback: http://localhost

Comments are closed.