Critical Announcement affecting ALL WordPress users

If you are running WordPress as your blogging platform and if you have been trusting enough to leave User registration enabled for guests, DISABLE IT IMMEDIATELY (in wp-admin >> options: make sure “Anyone can register” is not checked).

Additionally, delete or disable ANY guest account already created by people you are not sure about.

Leaving it open and letting people sign-up for guest accounts on your WordPress blog could lead to incredibly nasty stuff happening if anybody so desired. And trust me I am not exaggerating this. So don’t wait a second to disable this option and please relay the message.

WordPress dev team has been notified a while back and I dare hope they will soon start acting on it, if only by relaying a similar announcement through the official channel (as well as, of course, releasing a proper patch).

Sorry for the shrill hysterical tone, but this is a big deal. However, disable that one option and you are fine, no need to panic further 🙂

[cheers go to Geoff Eby for discovering and bringing this insane security exploit to my attention]

Update: a small follow-up addressing comments and concerns I have received ever since this last warning, is posted here. Feel free to ignore completely unless you really care about inner WordPress politics (yawn).

Update 2: WordPress upgrade 2.0.4 should now patch this bug. If your version of WordPress is equal to or higher than 2.0.4, feel free to ignore the warning above. If not, then you should/MUST upgrade (more details in the comments).

Filed under: WordPress

126 comments

  1. Is this a hoax? Who knows.

    There are proceedures when you find a security issue. Contacting the upstream author and vendor sec, obtaining CVE ids from Mitre, contacting relevent distribution channels, etc.

    Posting scare stories on a blog, no matter how true they may be is not a way to deal with a security issue.

  2. Considering the source .. i have no doubt in trusting this ‘minor panic’ … it is not like drdave is asking to shut down the blog or delete all my porn pics from my hard drive …

    The alternative? He informs the proper channels (which I believe he did) and waits for them to act … in the meantime some script happy hacker has deleted my blog … er.. ok .. i go with mild panic if I may …

    ta ta

  3. Pingback: Bloggers Buzz
  4. Pingback: ^CatForSale$ »
  5. Pingback: Kinoblog
  6. Thanx for the heads up.
    But why is there nothing on the WordPress web site? Not even in the forums?

    And, I don’t seem to have a guest user on my site… (scratches head)…. 🙁

  7. Pingback: The Code Cave
  8. I saw the update within SpamKarma and appreciate very greatly you bringing this security notice to the WP communities attention. Thanks for the information, action on my part has already been taken!

  9. Pingback: T. Longren
  10. Stupid Question Time: In order to get an official fix for my 1.5.x installation(s!!), I’m going to have to upgrade to 2.0.x, aren’t I?

    Let me tell you just how absolutely delighted I am at the prospect…

Comments are closed.