Michael Brooks has discovered a vulnerability in WordPress, which can be exploited by malicious people to bypass certain security restrictions and to disclose sensitive information.
The application does not properly restrict access to posted drafts to users with valid administrator credentials. [my emphasis] This can be exploited to read drafts by accessing the index.php script with data in the “PATH_INFO” URL part ending with “wp-admin/”.
This vulnerability has been confirmed in WordPress version 2.3.1, but other versions may be affected.
So what does this mean, everyone?
- Don’t post any information that you wish to keep private in a draft post.
- We’re in for a WordPress upgrade pretty soon!
Is it just me, or does WordPress seem to have many more vulnerabilities and security issues than other platforms? Or does it just seem like that since I’m so involved in the WordPress world, or because WordPress has such a wide community that bazillions of people are constantly scrutinizing the software?