post-page

Comment Remix Security Bulletin

8
responses
by
 
on
November 1st, 2008
in
WordPress Plugins, WordPress Security

Normally, we usually keep a maximum of two posts a day that are published on WeblogTooolsCollection as a means of keeping your dashboard from being overcome by us. However, considering that the following security bulletin has been published concerning the plugin (WP Comment Remix) and it won the WeblogToolsCollection plugin competition, I felt it was important to pass along this security bulletin to you.

According to the bulletin that was published by Chxsecurity.org version 1.4.3 contains the following vulnerabilities:

  • SQL Injection: caused by unsanitized variable ā€œpā€ in the ajax_comments.php file.
  • Cross Site Scripting: This affects authenticated and unauthenticated users.
  • Cross Site Request Forgery: the form generated through wpcr_do_options_page lacks the WordPress wp_nonce security function.

These vulnerabilities are considered HIGH risks however, the latest version (1.4.4) apparently addresses these issues. If you are using this plugin on your blog, be sure to upgrade it to the latest version.

heading
heading
8
Responses

 

Comments

  1. Brad (11 yr. old blogger) (1 comments.) says:

    Thanks for telling us, WTC. I don’t personally use it on my blog, but I am sure that other people do, and a security bulletin is important, regardless of some post limits.

  2. Rajesh (35 comments.) says:

    good to know that these have been fixed…scary…a plugin competition winner with so many vulnerabilities…

  3. Roger Hamilton (2 comments.) says:

    Thanks for sharing this notice. Everyone should go and update it.

  4. Chetan (9 comments.) says:

    Thanks for the update, else injection will bring down the whole wp based blog :)

  5. Tom Slayer (4 comments.) says:

    Update regularly and backup often and there will be nothing to worry about

  6. Chris Osborne (3 comments.) says:

    Now if only I could find that piece of code that hides the admin comments when the user id isn’t 1…



Trackbacks/Pingbacks

  1. […] Jeff made a security bulletin on weblogtoolscollection dot com for the Comment Remix plugin (the winner of this year’s plugin competition).Folks using this […]

  2. […] Comment Remix Vulnerability […]

Obviously Powered by WordPress. © 2003-2013

page counter
css.php