More to follow New exploit tool released for old vulnerabilities, make sure you update since versions up to 2.2.2 are affected…
16:03: The name of the tool is pwnpress, and it should work on all versions up to 2.2.3. There’s also a rumor (COMPLETELY UNVALIDATED YET) that 2.2.3 may be vulnerable if you installed it before yesterday. We’re downloading and testing the tool right now, but I lost my main test environment when I had to return some gear during the job change, so it will take a little longer.
17:15: Okay, the tool is pwnpress by LMH, and available at info-pull.com. I’ve tested it, but it only seems to fingerprint this blog, so 2.2.3 might should be safe. I don’t have a vulnerable blog I can test again, so if you have a pre-2.2.3 blog you want me to test, just send me a private email (um, DON’T put it in the comments). I don’t have time to dig through the code, so it’s also likely I’m using it wrong, but other than pulling credentials it doesn’t seem to do any real damage.
Short answer- go ahead and update your WordPress blog to the latest version, and now that this tool is out there I highly suggest you keep it updated. The WordPress dashboard is nice enough to include announcements of new versions right there for you.
17:45: Someone let me test on their older blog, and it sort of works. Changes to themes or some other settings can mess up the exploits. I’ve crawled through the Ruby and it’s easy to see which exploits are in there if you want to poke around yourself. The code is clean and fully commented.
Reader interactions
5 Replies to “Update Your WordPress Blog Immediately! New Exploit Tool Released”
Moving the xmlrpc.php file should work for a temp fix until it can be upgraded. I believe that this will disable adding posts and possibly other features. But at least your content can stay up until time is available for updating.
If I am wrong, please let me know.
Thank you,
Cutaway
I didn’‘t have a problem with the upgrade, it’s really straightforward as upgrades go
I upgraded, and somehow I had code crap in the top 200 pixels of every page (theme and admin). It even told me that I didn’‘t need to do a wp-upgrade process (!).
I deleted everything but my config file, and started over clean. Then, magically, it worked (or at least seems to).
You and I share themes, btw – I just messed with my CSS to make it different.
And be careful. Mine had issues with the upgrade!
Care to elaborate?