If you are running WordPress as your blogging platform and if you have been trusting enough to leave User registration enabled for guests, DISABLE IT IMMEDIATELY (in wp-admin >> options: make sure “Anyone can register” is not checked).
Additionally, delete or disable ANY guest account already created by people you are not sure about.
Leaving it open and letting people sign-up for guest accounts on your WordPress blog could lead to incredibly nasty stuff happening if anybody so desired. And trust me I am not exaggerating this. So don’t wait a second to disable this option and please relay the message.
WordPress dev team has been notified a while back and I dare hope they will soon start acting on it, if only by relaying a similar announcement through the official channel (as well as, of course, releasing a proper patch).
Sorry for the shrill hysterical tone, but this is a big deal. However, disable that one option and you are fine, no need to panic further 🙂
[cheers go to Geoff Eby for discovering and bringing this insane security exploit to my attention]
Update: a small follow-up addressing comments and concerns I have received ever since this last warning, is posted here. Feel free to ignore completely unless you really care about inner WordPress politics (yawn).
Update 2: WordPress upgrade 2.0.4 should now patch this bug. If your version of WordPress is equal to or higher than 2.0.4, feel free to ignore the warning above. If not, then you should/MUST upgrade (more details in the comments).
What exactly do oyu mean by “guest?” It isn’t listed as a subscriber type. Do you mean “subscriber,” which is the lowest level of user? Also, to disable it, would I uncheck the “Allow anyone to register” option in the “General” options tab? Sorry, but I’m just a little confused about this problem…
what exactly happens? The reason I ask is that two of my sites (techiecity.net and clearout.info) were hacked just today by some wierd dude. The whole server is down for the count.
I don’t remembering touching that setting in my blog and I don’t have it enabled so I don’t think it’s turned on by default. But thanks for the warning.
If anyone has more details about the vulnerability and what newly registered users can do, please e-mail me privately at [censored]
Note from drD: Removed your email address as it was both seemingly invalid and not likely to get you any helpful info anyway. As I said below, you will have to trust us for now and take the really tiny leap of disabling that option for the time being, until more can be said safely…
@Matthew, you are correct in both cases.
@Patrick, it is disabled by default in newer versions of WP.
Also, this affects 1.5.x users as well.
Great .. finally a life sign of the love-lorn drdave … and it is a message of doom !!!!
So…are you going to update us all via comments here when this flaw has been patched?
It would be nice to have some details on this exploit. My new user default role is “subscriber.” I’m not sure what difference a “subscriber” can make other than to leave comments, which BTW can be done at my site without registration.
Um, great! I dont see anything about this on wordpress.org anywhere ?
Hello all… In a nutshell:
1) what geoff_e said.
2) no, obviously I cannot give you the slightest amount of detail on the exploit. You’ll have to take my word for it (but don’t feel like you have to). It’s been tested and shown to exist with varying levels of danger on *all* versions of WP up to the very last one.
3) wp devs have been notified. I am *not* an official WP dev. Both this announcement and any technical opinion I may have about it are my very own and not in any way representative of the official WP position, response to it or lack thereof (thanks Cthulhu).
4) it is fairly easy to patch, though Lead seem to have had more important priorities at the moment. However, merely releasing the patch is akin to publicly disclose the exploit. Which *must* be done at some point, but hopefully not before as many regular users as possible have heard the message and protected their blog (I trust the simple act of disabling this option is more likely to be done promptly than an actual upgrade).
5) if looking for any official answer, emergency response deployment, reassurance, dismissal or otherwise Party-sanctionned advices, contact WP officials, not me.
Thanks and happy blogging nonetheless…
Where did you get this information?? How do you know about this??
I disabled it in my 4 blogs and deleted a bunch of users that signed up but never left comments.
I’m confused though….
What’s weird is that I actually thought that someone hacked one of my sites yesterday because all of a sudden the comment section stopped working. I had to make a whole new theme for my site because the comments just wouldn’t work! I couldn’t figure out how to fix it. The new theme works fine now, but I thought it was strange. Do you think someone actually hacked my site?!
I am anxious for more information…
drDave, if you think you have found a vulnerability the best thing to do is email security@wordpress.org, not cause a panic with a cryptic blog post. We’re about to put out a release and I haven’t received anything from you so I need to know if this is already fixed in 2.0.4 or not.