Anyone running wordpress 2.3 with the "Anyone can register" checkbox on, should go grab WordPress 2.3.1 Beta 1, as there's an exploit1 in the wild. Meaning spammers are already using it to insert any link they please into your blogroll. Another solution is to close registration and delete any users you don't know.
h/t Root
- not traditionally an exploit, there is no user privilege escalation, but users are allowed to access to a feature that should be restricted (back ↩)
4 Comments
That is so crazy! I personally don’t run the registration any any of my blogs because it is a pain in the butt, but that must be a bad deal for so many people. Looking through the ticket, I am not sure if other plugins would have helped out or not with regards to registrations……..thanks for the update Adam and Root!
The only reason I opened registration is because I’m running the OpenID+ plugin, which will supposedly pull down FOAF profiles for people who register with openID. unfortunately, there’s no way to restrict registration to only OpenID users.
woot! for Root.
indeed, Root provides quite the proactive support. although a big woot also goes to ryan for releasing the beta. it’s notoriously difficult to explain to people how to update a specific file from trac (see the linked support thread, there are tons of wordpress core files whose names are singular/plural versions of each other).
Post a Comment