WordPress [MU] blog's options overwrite

Author

Alexander Concha <alex at buayacorp dot com>

Affected versions

WordPress <= 2.3.2 and WordPress MU < 1.3.2

Description

WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability.

WordPress allows any user with manage_options capability to update directly any blog's option through wp-admin/options.php, so this feature can be used to perform (or hide) multiple attacks where WordPress expects safe data coming from the DB.

This bug is very critical in those sites using WordPress MU, because any user has the manage_options capability.

Proof of Concept

An exploit that uses active_plugins option was developed to test the severity of this bug.

Solution

For WordPress MU, upgrade to the latest version (1.3.2).

For WordPress (single version), its developers have postponed the fix for future versions (it won't likely go in 2.5), since by default only Administrators have the manage_options capability.

Disclosure Timeline

• 08/16/2007 - Bug found
• 12/15/2007 - Vendor contact
• 01/26/2008 - WordPress MU 1.3.2 released
• 02/05/2008 - Public Disclosure