25.Apr.2008 at 3:37 pm | Sunny
WordPress 2.5.1 and CVE 2008 1930
WordPress 2.5.1 is already out, so the blog you upgraded last month, is outdated and worse, could be vulnerable. A Common Vulnerabilities and Exposures (CVE 2008 1930) which reads as below is now known to be the reason for this hastened release:
An attacker, who is able to register a specially crafted username on a WordPress 2.5 installation, is able to generate authentication cookies for other chosen accounts.
This vulnerability exists because it is possible to modify authentication cookies without invalidating the cryptographic integrity protection.
If a WordPress blog is configured to freely permit account creation, a remote attacker can gain WordPress-administrator access and then elevate this to arbitrary code execution as the web server user.
Note that this applies to those site that allow users to register, so if you have multiple authors or prefer users to register to comment, download WordPress 2.5.1 and upgrade using our painless technique!
1. wpSnap - Best WordPress Themes, Blogging Tips, Design Resources » WordPress 2.5 Vulnerability Requires WordPress 2.5.1 Upgrade | April 28, 2008 #
[...] such as our own site should not be running version 2.5 for the reason we all have come to know as CVE 2008 1930. Upgrading to version 2.5.1 now will save you a lot of hassle, trust me us [...]