More to follow New exploit tool released for old vulnerabilities, make sure you update since versions up to 2.2.2 are affected…
16:03: The name of the tool is pwnpress, and it should work on all versions up to 2.2.3. There’s also a rumor (COMPLETELY UNVALIDATED YET) that 2.2.3 may be vulnerable if you installed it before yesterday. We’re downloading and testing the tool right now, but I lost my main test environment when I had to return some gear during the job change, so it will take a little longer.
17:15: Okay, the tool is pwnpress by LMH, and available at info-pull.com. I’ve tested it, but it only seems to fingerprint this blog, so 2.2.3 might should be safe. I don’t have a vulnerable blog I can test again, so if you have a pre-2.2.3 blog you want me to test, just send me a private email (um, DON’T put it in the comments). I don’t have time to dig through the code, so it’s also likely I’m using it wrong, but other than pulling credentials it doesn’t seem to do any real damage.
Short answer- go ahead and update your WordPress blog to the latest version, and now that this tool is out there I highly suggest you keep it updated. The WordPress dashboard is nice enough to include announcements of new versions right there for you.
17:45: Someone let me test on their older blog, and it sort of works. Changes to themes or some other settings can mess up the exploits. I’ve crawled through the Ruby and it’s easy to see which exploits are in there if you want to poke around yourself. The code is clean and fully commented.