Critical Announcement affecting ALL WordPress users

by ·126 Comments

If you are running WordPress as your blogging platform and if you have been trusting enough to leave User registration enabled for guests, DISABLE IT IMMEDIATELY (in wp-admin >> options: make sure “Anyone can register” is not checked).

Additionally, delete or disable ANY guest account already created by people you are not sure about.

Leaving it open and letting people sign-up for guest accounts on your WordPress blog could lead to incredibly nasty stuff happening if anybody so desired. And trust me I am not exaggerating this. So don’t wait a second to disable this option and please relay the message.

WordPress dev team has been notified a while back and I dare hope they will soon start acting on it, if only by relaying a similar announcement through the official channel (as well as, of course, releasing a proper patch).

Sorry for the shrill hysterical tone, but this is a big deal. However, disable that one option and you are fine, no need to panic further 🙂

[cheers go to Geoff Eby for discovering and bringing this insane security exploit to my attention]

Update: a small follow-up addressing comments and concerns I have received ever since this last warning, is posted here. Feel free to ignore completely unless you really care about inner WordPress politics (yawn).

Update 2: WordPress upgrade 2.0.4 should now patch this bug. If your version of WordPress is equal to or higher than 2.0.4, feel free to ignore the warning above. If not, then you should/MUST upgrade (more details in the comments).

Filed under: WordPress

126 comments

  1. Pingback: Registrering slått av - sikkerhetsfeil ved WordPress | NorBlogg.net
  2. Pingback: eye-cu » Blog Archive » User-Registrierung bei WP sofort deaktivieren!!!

  3. Is this a hoax? Who knows.

    There are proceedures when you find a security issue. Contacting the upstream author and vendor sec, obtaining CVE ids from Mitre, contacting relevent distribution channels, etc.

    Posting scare stories on a blog, no matter how true they may be is not a way to deal with a security issue.

  4. Considering the source .. i have no doubt in trusting this ‘minor panic’ … it is not like drdave is asking to shut down the blog or delete all my porn pics from my hard drive …

    The alternative? He informs the proper channels (which I believe he did) and waits for them to act … in the meantime some script happy hacker has deleted my blog … er.. ok .. i go with mild panic if I may …

    ta ta

  5. Pingback: Bloggers Buzz
  6. Pingback: ^CatForSale$ »
  8. Pingback: Kinoblog
  9. Pingback: Cornell Finch » Critical Wordpress security Flaw
  10. Pingback: technozid » Wordpress userser - check your settings!
  11. Pingback: Liquidmatrix Security Digest
  12. Pingback: Home-Page do Cleuby Castilho
  13. Pingback: The Knitting Fiend » Blog Archive » Wordpress users: Disable “Guess User”

  14. Thanx for the heads up.
    But why is there nothing on the WordPress web site? Not even in the forums?

    And, I don’t seem to have a guest user on my site… (scratches head)…. 🙁

  15. Pingback: green lemon [dot] org » WordPress Exploit [update]
  16. Pingback: Basic Thinking Blog » Wordpress-Sicherheitswarnung
  17. Pingback:   WordPress Guest Registration Security Concern by Blogging Pro
  18. Pingback: Wordpress可能有一个潜在的安全问题 Yee’s Blog
  19. Pingback: - a knight’s tale - 乃特風雲錄 - » WP Critical Announcement
  20. Pingback: Citizen Dane » Blog Archive » WP advarsel
  21. Pingback: Fmragtops Spews » Blog Archive » Security Issues
  22. Pingback: WordPress Sicherheitslücke at apfelquak.de
  23. Pingback: kritikus hiba a wordpress 2.0.3 és régebbi verzióiban - kobak pont org
  24. Pingback: Sicherheitslücke in WordPress und 2.0.4 Beta Download — Software Guide
  25. Pingback: WP exploit at My `LiL blog
  26. Pingback: Israpundit » Blog Archive » New User Account Registration Temporarily SUSPENDED
  27. Pingback: Abandoned Stuff by Saskboy » Blog Archive » Announcement affecting ALL Wordpress users
  28. Pingback: All in a days work… » Blog Archive » links for 2006-07-28
  29. Pingback: The Code Cave
  30. Pingback: Oradeanul.com - jurnal de Oradea » Vulnerabilitate in Wordpress
  31. Pingback: Radio Clash Mash Up Podcast - a weekly podcast of mixes, mash-ups, and more! » Blog Archive » Wordpress Hack Security Issue

  32. I saw the update within SpamKarma and appreciate very greatly you bringing this security notice to the WP communities attention. Thanks for the information, action on my part has already been taken!

  33. Pingback: » Sicherheitslücke in Wordpress :: sansegundo.de
  34. Pingback: WordPress : France - Support Documentation Themes Plugins Traduction » Problème de sécurité pour toutes les versions de WordPress
  35. Pingback: No geek is an island » For Wordpress users
  36. Pingback: Nobrainer’s Hate Capacitor » Attention Wordpress Users
  37. Pingback: WordPress Guest Account Security Exploit - PaulTech - spyware killin’, firefox freakin’, gadget lovin’ goodness
  38. Pingback: T. Longren
  40. Pingback: blog.deobald.org » Blog Archive » Wordpress Security Warning
  41. Pingback: Church of the Painful Truth
  42. Pingback: Tinta Fantasma | Blog Archive | Bug crítico en wordpress
  43. Pingback: SayUncle » Wordpress alert
  44. Pingback: My source of joy - God, Mom and Jeff! » Critical Security Risk for Wordpress

  45. Stupid Question Time: In order to get an official fix for my 1.5.x installation(s!!), I’m going to have to upgrade to 2.0.x, aren’t I?

    Let me tell you just how absolutely delighted I am at the prospect…

  46. Pingback: greyduck.net » I don’t wanna upgrade!
  47. Pingback: 1337 & 933/< » Fallo Crítico en WordPress
  48. Pingback: WordPress Security Fix: WP 2.0.4 | K-Squared Ramblings
  49. Pingback: SNAKES!!!! at Zarabeth - La Gatta e la Luna
  50. Pingback: Registration Disabled at skenmy’s blog

Comments are closed.