
WordPress Contributor Post Submission Vulnerability [ALERT]
- Updated On 21/04/2011
- Author : Pradeep Kumar
- Topic : WordPress
- Short URL : https://hellboundbloggers.com/?p=18439
CONNECT WITH HBB ON SOCIAL MEDIA
If User Registration is enabled on your WordPress blog, then you have a good reason to worry. Recently bloggers from across the world encountered strange problems with Contributor Post Submissions. Seems like some hackers are exploiting User Role (particularly ‘Contributor’) in WordPress and they get the permission to publish the post directly, in other words autopost spam into our blog.
Contributor is somebody who can write and manage their posts but not publish them, they don’t have the right to publish the posts.
We finalized the SPAM user’s name as ‘klamka13303’ and if you have any user registered using this name, kindly delete that account. His/her SPAM post was actually in different language, Polish maybe and it was about loans.
Earlier today HBB also encountered this problem, but we were able to rectify it soon. I also encountered this problem on several active blogs yesterday. I request all the bloggers to check their Contributors manually and if you see any weird looking SPAM account, then you need to look deep into that.
If User Registrations are not enabled on your blog then the vulnerability is less. I’ll update this post with more information quickly.
More Discussions : Shiva Chettri Facebook Status
Want to discuss your queries and interact with experts? You can connect with HellBound Bloggers (HBB) Facebook group for free!
Join HellBound Bloggers (HBB) and get Instant Updates. We'll also notify you with Great Deals, Discounts and other Interesting Tips. We won't SPAM or SHARE your Email Address with anyone.
YOU CAN ALSO SEARCH FOR YOUR DESIRED TOPICS:
Thank you for reading! We welcome and appreciate your comments, but at the same time, make sure you are adding something valuable to this article. If you have any serious queries, suggestions or anything related to this article, feel free to share them, we really appreciate that.
But, if your blog comments are a random "Thank you", "Useful Post", or anything that doesn't actually upscale the article, then we'll be removing them and it won't be appeared below. Thanks for understanding and thanks for connecting with us. If you want to give us any feedback or report any errors, you can kindly contact us and we'll revert back soon.
- Comments
- Facebook Comments
-
Comments
Leave a Reply
37 Comments
Facebook Comments
jay@gametweeps
The problem still appears to be on. I have noticed a sudden jump in the number of registrations on my blog lately in spite of the email verification.
NoobError
Do you thing the site i built for a client using wordpress could be affected by this? they want to have a large folower base, and well.. Im not sure wordpress is the one for it if there is going to be comment spam.. it is http://mystichcg.com
What about if you already allow some ones post, cant they now kust keep repost if you ahve your settings all screwed up? Ive noticed in the past that they tend to attack certain posts more frequently then others.. its weird..
S.Pradeep Kumar
I think the latest version of WP solved this issue. ๐
Andrew Nacin
This was addressed in WordPress 3.1.2.
S.Pradeep Kumar
Hey, thanks for the update Andrew. ๐
arthurmasons999
Is there any tools to prevent that happening?
Regards. Arthur
S.Pradeep Kumar
You can use reCAPTCHA on your registration page mate.
http://www.google.com/recaptcha
Harsh Agrawal
I may be wrong but this issue was for old version of WordPress blog. What version of WordPress shiva is using? Is it latest 3.1 or old one??
S.Pradeep Kumar
Harsh, even HBB was infected. We got the same user and he/she published the post (using contributor role). ๐ Damn sure I was using the recent WordPress version.
Sunil Sheoran
That’s such a good article. Security is actually the firs thing you should have enabled on your blog.
Natty Bumpercar
I woke up this morning to find an email saying that klamka13303 had subscribed to my blog. I had never gotten an email like that before. The first thing that I did was go and check the site to make sure that everything was cool – then I did some sleuthing and came upon this post.
Thanks for the info – klamka13303 has been deleted and “anyone can register” has been turned off – – even though I had it set to the “subscriber” level – it just feels safer that way.
Thanks!
Techvista
So, what’s the solution to get rid from this vulnerability.
Anubhab
Its really a issue to worry about. Thanks for updating Pal…Will keep a close look on this particular post..
Abhimanyu
Nice post! Pradeep. Thanks for the alert but I have set posts to be reviewed first!
Jane | Find All Answers
Not yet for me.. but I will be careful. Thanks for the alert.
Hackers get into any places. That’s annoying in the online world.
Jane.
Praveen@Techperk
sucks, it happened to me as well, lol
Jasmine
I am sure the WordPress team will rectify this bug asap. At the meantime, we all have to tighten the security on our blogs.
Vincent Raja @ Tech2Hell
Well. My Blog didnt Get affected by this. but one of my friend blog affected by this. and I kept Default Registration Role is SUBSCRIBER.. any problem in that cause?
S.Pradeep Kumar
If his/her blog does not have Guest Blogging, then it is better to disable Registration. ๐
Emil
The fix was released in WordPress 3.0.5 http://wordpress.org/news/2011/02/wordpress-3-0-5/ and that was earlier this month.
“Two moderate security issues were fixed that could have allowed a Contributor- or Author-level user to gain further access to the site.”
This isn’t new and it’s always recommended that everyone upgrades their platforms, especially when security release is published.
Cheers,
Emil
S.Pradeep Kumar
Maybe this isn’t new, but huge number of blogs getting affected day-by-day, we encountered many.
P.S. They have been using the current version of WordPress (3.0.5). ๐
yogi
hi pradeep, this information would be very useful for the bloggers for those who want to maintain the blog..
Murugappan
The same happened in Chaaps.
And guess what?!
The post title was Kredyty in my case as well.
Wonder what’s wrong! :-O
Amandeep Singh
I think WP has already released this in WP 3.0.5?
“WordPress 3.0.5 is now available and is a security hardening update for all previous WordPress versions.
This security release is required if you have any untrusted user accounts, but it also comes with important security enhancements and hardening. All WordPress users are strongly encouraged to update.
Two moderate security issues were fixed that could have allowed a Contributor- or Author-level user to gain further access to the site.”
This happened to me also and I thought that the reason is because I had not upgraded to 3.0.5…
Rohit Batra @ IpodTouch4G
seen this New Hack on many blogs…at first i was also surprised what the Blog admins have posted but now realized its a security breach..
Pankaj gupta
I think this may be due to role manager plugin.
Vivek Parmar
New hack did not know about this. Thanks a lot for sharing
Techie Zone
It is recommended to set user level to subscriber, if you have allowed users can register themselves option. If you have a multi authored blog, you can give author or contributor rights to selected and trusted people only.
aswin
Thanks Pradeep posting this issue
Webmaster Blog
My site was hit by this security bug!
Shiva @ Webmaster Tips
Hey Pradeep,
Thanks for making a post for this issue. I really think WordPress has to do something about this issue. I have changed the user role to subscriber for now and ya thank for the link to my status’ ๐
S.Pradeep Kumar
Yea mate, update recommended. ๐
Jose Tinto
This is a serious thread. Hope WordPress rectify the issue soon.
Anoop Sudhakaran
To All!!
Keep having a look @ http://www.securityfocus.com for latest exploits and solutions.
Jasmine
Securityfocus looks great with PR8. But kind of like a boring site. Hehe
Anoop Sudhakaran
Mahn this is some serious problem for guest blogging enabled blogs. Hope so WP releases an update soon.
Saket Jajodia
Ya, It happened on 2 of my blogs.. And some of my friends blog also…