NBBN has discovered some cross site scripting vulnerabilities for the WP-Footnotes plugin version 2.2 for WordPress. Input passed to the “pre_footnotes”, “priority”, “post_footnotes”, and “style_rules” array elements in the “wp_footnotes_current_settings[]” array in the admin_panel.php script is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. The good news this time around is that, ‘register_globals‘ must be turned on for exploitation to occur. If you are using this plugin on your site, it is advised that you disable the plugin until a security patch has been released. According to the security bulletin, the solution is to edit the plugin source code to ensure that input is properly sanitized. Again, if you know that your webserver has register_globals turned off, you are in the clear. S@BUN has reported an “id” […]

WP Contact Manager: The versatility of WordPress continues to amaze me. Design Canopy has released a theme/set of instructions for WordPress that would allow you to run a WordPress install as a taggable, searchable contact manager that can be made into a Members Only system and display related contacts. Now mind you, it is not a stand alone theme, needs extra plugins to be downloaded and installed and they outline detailed instructions on how to set it up. However, the setup looks relatively easy and the results are definitely pretty cool. I would have liked to see a Prologue like custom posting interface for logged in users but that could be an easy add on or plugin once the thing is set up.

Utterz: is a Web-based service that posts to all of the above, from anywhere, even by phone, whether it’s text, photos, video, voice, or a mash-up of all the above. Same with PCs. You can just e-mail or SMS the posts to Utterz, or make a phone call to leave a voice record. After the content is received, it’s forwarded to the blog or blogs you specify in about 10 minutes. This online tools brings us one step closer to having a personal Twitter. If you setup your own WordPress blog (hosted or on WordPress.com) and use the Prologue theme (new zipped release by popular request, thanks Joseph Scott), you can have many of the flexible posting features of Twitter on your own platform. Since Utterz is a remotely hosted service, I am not sure the benefit of a “personal” Twitter are realized quite as well, but it is definitely […]

Six Apart created the Trackback specification as a way to enable bloggers to communicate between each other via a link or acknowledgement. My question to the reader: in what ways do you use Trackbacks? Do you still find Trackbacks useful? With the growing Trackback spam, how do you keep up with legitimate bloggers?

MultiPage Toolkit MultiPage Toolkit allows you manage multi page posts by allow you to add page title to each page and also allows you to display the number of pages in the post on the index page of the post. Looks like a nice addition as it definitely takes care of one problem I have wanted to overcome in WordPress. Release Page | Download Extended Categories A extension to the default category widget that comes built in with WordPress. This plugin allows you to display the categories as a list or dropdown, show the number of posts per category, hide empty categories and more. Release Page | Download UnderConstruction Shows customizable message on posts and pages containing the [uc] tag. The message can be customized in the Options page. Release Page | Download Tag This The plugin allows readers to tag posts and uses core WordPress tag system to store […]

Instapaper: I came across this service via Techeme and was impressed with the ease of use. Although I barely ever have to “read something later”, one could use Instapaper to quickly and easily bookmark sites, blogs or news items for later reading which could then be cleaned up. Signup is incredibly easy and they provide you with a bookmarket to use. Would you use something like Instapaper? I wonder how they would monetize it?

Prologue, the WordPress.com theme that mimics Twitter like functionality has undergone a series of updates. The updates are as follows: The front page now shows a stream of recent updates instead of one update per user Pages now have their own template and look much better Avatars are only shown once for sequential posts by the same author (front page and tag pages) Post titles are no longer empty, they are generated based on the beginning of each post Works out of the box for WordPress.org 2.3.2 Probably the biggest update is the fact that Prologue now works out of the box for WordPress 2.3.2. It didn’t work before because of a function that was used within the author template which wasn’t available in 2.3.2. Because of these updates, Prologue which is now at version 1.2, will have the changes reflected in Subversion (for self hosted WordPress.org blogs) and is […]

Today, we have a moderately critical SQL Injection Vulnerability that was discovered by HouSSaMix in the “WP-Cal” plugin version 0.x for WordPress. According to the Secunia Advisory: Input passed to the “id” parameter in functions/editevent.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Users with a malicious intent can conduct SQL injection attacks which may result in the retrieval of usernames, password hashes, and email addresses for users and administrators. However, the malicious user must have knowledge of the database table prefix. So far, version 0.3 has been confirmed as having this vulnerability with other versions possibly being affected. Secunia states that the solution involves editing the source code to ensure that input is properly sanitised. Click here to read the original advisory which provides an example of the exploit as well as the vulnerable […]