Normally, we usually keep a maximum of two posts a day that are published on WeblogTooolsCollection as a means of keeping your dashboard from being overcome by us. However, considering that the following security bulletin has been published concerning the plugin (WP Comment Remix) and it won the WeblogToolsCollection plugin competition, I felt it was important to pass along this security bulletin to you.
According to the bulletin that was published by Chxsecurity.org version 1.4.3 contains the following vulnerabilities:
- SQL Injection: caused by unsanitized variable “p” in the ajax_comments.php file.
- Cross Site Scripting: This affects authenticated and unauthenticated users.
- Cross Site Request Forgery: the form generated through wpcr_do_options_page lacks the WordPress wp_nonce security function.
These vulnerabilities are considered HIGH risks however, the latest version (1.4.4) apparently addresses these issues. If you are using this plugin on your blog, be sure to upgrade it to the latest version.
Thanks for telling us, WTC. I don’t personally use it on my blog, but I am sure that other people do, and a security bulletin is important, regardless of some post limits.
good to know that these have been fixed…scary…a plugin competition winner with so many vulnerabilities…
Thanks for sharing this notice. Everyone should go and update it.
Thanks for the update, else injection will bring down the whole wp based blog 🙂
Update regularly and backup often and there will be nothing to worry about
Now if only I could find that piece of code that hides the admin comments when the user id isn’t 1…