Multiple Bugs Haunt WordPress Setup

Researchers have found a string of weaknesses in the WordPress default installation page, including PHP code execution and a persistent cross-site scripting flaw, affecting versions 3.3.1 and later. WordPress officials say that they’re not planning to fix the vulnerabilities as there’s only a small possibility of exploitation by attackers.

Wordpress bugsResearchers have found a string of weaknesses in the WordPress default installation page, including PHP code execution and a persistent cross-site scripting flaw, affecting versions 3.3.1 and later. WordPress officials say that they’re not planning to fix the vulnerabilities as there’s only a small possibility of exploitation by attackers.

The flaws were found by researchers at TrustWave’s SpiderLabs, and in their advisory on the WordPress bugs, they describe how attackers would be able to exploit them. In the advisory, the researchers also include code that can be used to demonstrate the problems. Executing attacks on the vulnerabilities does require some specific conditions to be present.

“The WordPress ‘setup-config.php’ installation page allows users to install WordPress in local or remote MySQL databases. This typically requires a user to have valid MySQL credentials to complete. However, a malicious user can host their own MySQL database server and can successfully complete the WordPress installation without having valid credentials on the target system. After the successful installation of WordPress, a malicious user can inject malicious PHP code via the WordPress Themes editor. In addition, with control of the database store, malicious Javascript can be injected into the content of WordPress yielding persistent Cross Site Scripting,” the advisory says in describing the XSS and PHP code execution bugs.

There also are other XSS vulnerabilities in the setup page for WordPress installations.

“The WordPress ‘setup-config.php’ installation page allows users to install WordPress in local or remote MySQL databases. When using this installation page the user is asked to supply the database name, the server that the database resides on, and a valid MySQL username and password. During this process, malicious users can supply javascript within the “dbname”, “dbhost” or “uname” parameters. Upon clicking the submission button, the javascript is rendered in the client’s browser,” the advisory says.

Officials from WordPress said that there is little risk of exploitation, so they will not be publishing patches for the vulnerabilities.

“We give priority to a better user experience at the install process. It is unlikely a user would go to the trouble of installing a copy of WordPress and then not finishing the setup process more-or-less immediately. The window of opportunity for exploiting such a vulnerability is very small,” WordPress officials said in response to the disclosures.

 

Suggested articles

Discussion

  • Anonymous on

    "WordPress officials say that they're not planning to fix the vulnerabilities as there's only a small possibility of exploitation by attackers."

     

    Proves that they dont care about security and that their products and services should be abandoned by all.

  • Anonymous on

    Your comments prove that you do not fully understand the situation, maybe you should do some research before you jump to conclusions. If a blog is fully set up (not a very long or dificult process) the attack window closes. Stop commenting on things you do not understand.

  • Brian James on

    It is good to know about this flaw. I use wordpress to all my sites.

     

  • Anonymous on

    One very important thing to keep in mind is backup folders.  Once you rename a /wordpress or /blog folder with a backup name, this breaks the installation and re-opens the vulnerability...  Thanks for this post - we're ridding this file from active/inactive Wordpress installations.

  • PENNYParrish30 on

    I try to react quickly and I try to select only great essays online company.
  • Anonymous on

    Not sure what the poster above means about renaming backup folders, anyone care to elaborate on that?

    Thanks!

  • michaelt on

    I like what you guys are up too. Such intelligent work and reporting! Keep up the superb works guys I have incorporated you guys to my blogroll. I think it will improve the value of my web site :) this site

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.