Link Spam in WP2.3

October 20, 2007 1:26pm 4 Comments

Anyone running wordpress 2.3 with the "Anyone can register" checkbox on, should go grab WordPress 2.3.1 Beta 1, as there's an exploit ((not traditionally an exploit, there is no user privilege escalation, but users are allowed to access to a feature that should be restricted)) in the wild. Meaning spammers are already using it  to insert any link they please into your blogroll.  Another solution is to close registration and delete any users you don't know.

h/t Root

Trent

That is so crazy! I personally don't run the registration any any of my blogs because it is a pain in the butt, but that must be a bad deal for so many people. Looking through the ticket, I am not sure if other plugins would have helped out or not with regards to registrations........thanks for the update Adam and Root!

October 21, 2007 3:43am

adam

The only reason I opened registration is because I'm running the OpenID+ plugin, which will supposedly pull down FOAF profiles for people who register with openID. unfortunately, there's no way to restrict registration to only OpenID users.

October 21, 2007 6:27am

brightfeather

woot! for Root. :)

October 21, 2007 8:59pm

adam

indeed, Root provides quite the proactive support. although a big woot also goes to ryan for releasing the beta. it's notoriously difficult to explain to people how to update a specific file from trac (see the linked support thread, there are tons of wordpress core files whose names are singular/plural versions of each other).

October 22, 2007 9:33pm