WordPress 2.3.3 Urgent Security Release for XML-RPC Flaw

An urgent wordpress security release is out and its time to upgrade to WordPress 2.3.3 again. This time its a flaw in XML-RPC implementation that could let people exploit your blog in malicious ways.

The WordPress team announced that they have found a flaw in XML-RPC implementation such that a specially crafted request would allow any valid user to edit posts of any other user on that blog. Now that is really scary.

WordPress 2.3.3 also fixed a few minor bugs. They say if you are interested only in the security fix, download wordpress 2.3.3. and after extracting the package, find the xmlrpc.php file in the root directory and copy it over your existing xmlrpc.php. That’s the fastest way to fix the security problem without a full wordpress installation.

They also point to a vulnerability in the WP-Forum plugin that is being actively exploited and if you are using this plugin, remove it until an update is available.

Update – Once you only update xmlrpc.php, the wordpress alert keeps on bothering you repeatedly.

Wordpress Update

So I went around finding files which were updated since the last release. You can simply replace the changed files instead of a full install and stop the message.


2 comments on “WordPress 2.3.3 Urgent Security Release for XML-RPC Flaw

  1. Blogging Mix says:

    Hey, thanks for the heads up. I’ve just updated my xmlrpc.php file. Hope that’ll do. Cheers :)

  2. Ravi says:

    thanks a lot for pointing out the files pal..

Leave a Reply

Your email address will not be published. Required fields are marked *

All comments moderated. Use True name. No irrelevant links. Post useful content.