Skip to main content

Wordpress 3.0.2 plugs SQL flaw

Wordpress 3.0.2 has been out for a short while, and the first details of the security flaw that lead to the release of the update have started to appear - which is bad news for anyone that hasn't upgraded.

The open-source blogging platform is a huge success, powering somewhere on the region of 8.5 per cent of the entire web and impressing Microsoft enough to switch its own Live Spaces blogging platform over to the commercial Wordpress service hosted by Automattic.

Inevitably, however, its success makes it a tempting target for ne'er-do-wells - as we've see in the past with the mass breach that hit Network Solutions customers and redirected visitors to Wordpress-powered blogs to malicious sites instead.

The most recent update to the platform, Wordpress 3.0.2, brought some major security improvements - and we're now finding out that this release has been pushed out to head a serious security bug off at the pass.

The flaw, discovered by security researcher M4g and kept quiet until Automattic could address the issue, allows those able to post on the site - specifically, anyone with the publish_posts or edit_publish_posts capabilities - to execute arbitrary queries on the SQL database underlying the platform.

For those of a less technical bent, it means that any author on the site would be able to retrieve any data stored by Wordpress - including things that they're not supposed to see.

The vulnerability isn't thought to be under widespread attack due to the requirement for the attacker to have posting permissions on the site, but for larger sites with multiple authors - and Wordpress is used to host some of the largest sites out there - it's a serious problem nevertheless.

The issue, which stems from poor sanitisation of user input, has been resolved in Wordpress 3.0.2 - so if you're running Wordpress 3.0.1 or earlier now would be a very good time to upgrade, especially if you're running a site with multiple authors.