WordPress 2.5.1 and CVE 2008 1930

WordPress 2.5.1 is already out, so the blog you upgraded last month, is outdated and worse, could be vulnerable. A Common Vulnerabilities and Exposures (CVE 2008 1930) which reads as below is now known to be the reason for this hastened release:

wordpress 2.5An attacker, who is able to register a specially crafted username on a WordPress 2.5 installation, is able to generate authentication cookies for other chosen accounts.

This vulnerability exists because it is possible to modify authentication cookies without invalidating the cryptographic integrity protection.

If a WordPress blog is configured to freely permit account creation, a remote attacker can gain WordPress-administrator access and then elevate this to arbitrary code execution as the web server user.

Note that this applies to those site that allow users to register, so if you have multiple authors or prefer users to register to comment, download WordPress 2.5.1 and upgrade using our painless technique!

Leave a Comments | Trackback | RSS 2.0

  1. 1. wpSnap - Best WordPress Themes, Blogging Tips, Design Resources » WordPress 2.5 Vulnerability Requires WordPress 2.5.1 Upgrade | April 28, 2008 #

    [...] such as our own site should not be running version 2.5 for the reason we all have come to know as CVE 2008 1930. Upgrading to version 2.5.1 now will save you a lot of hassle, trust me us [...]

Have Your Say »

(Required- use your name, not keywords)

(Required- will not be published)

(Optional)

Use SimpleCode while pasting codes.