Version 2.3.3 – released this week – repairs the flaw in XML-RPC, a remote procedure call protocol that can be exploited by sending specially crafted HTTP requests.
In lieu of updating, administrators can download the xmlrpc.php script from the WordPress site and replace the existing script.
Vulnerability tracking firm Secunia rated the flaw “less critical.”
“The [original] xmlrpc.php script does not properly restrict access to the edit functionality,” the Secunia advisory said, noting that exploitation requires valid credentials.
In addition, a SQL injection flaw has emerged in the WP-Forum plug-in, a software extension that can place forums on WordPress sites, according to WordPress.
The unpatched bug can steal usernames, password hashes and email addresses from users and administrators, according to Secunia, which ranked the flaw moderately critical.
WordPress developers suggest users disable the plug-in until an update can be pushed out.
Experts have said blogs present a ripe target for hackers because many businesses fail to keep the supporting software up-to-date. Duke University Law School's website recently suffered a major data breach that was made possible by a vulnerability in the site's third-party blogging software.
See original article on scmagazineus.com
WordPress releases update; unpatched vulnerability remains
By Dan Kaplan on Feb 11, 2008 9:59AM