WordPress Contributor Post Submission Vulnerability [ALERT]

If User Registration is enabled on your WordPress blog, then you have a good reason to worry. Recently bloggers from across the world encountered strange problems with Contributor Post Submissions. Seems like some hackers are exploiting User Role (particularly ‘Contributor’) in WordPress and they get the permission to publish the post directly, in other words autopost spam into our blog.

Contributor is somebody who can write and manage their posts but not publish them, they don’t have the right to publish the posts.

SPAM User

We finalized the SPAM user’s name as ‘klamka13303’ and if you have any user registered using this name, kindly delete that account. His/her SPAM post was actually in different language, Polish maybe and it was about loans.

Earlier today HBB also encountered this problem, but we were able to rectify it soon. I also encountered this problem on several active blogs yesterday. I request all the bloggers to check their Contributors manually and if you see any weird looking SPAM account, then you need to look deep into that.

If User Registrations are not enabled on your blog then the vulnerability is less. I’ll update this post with more information quickly.

More Discussions : Shiva Chettri Facebook Status

37 thoughts on “WordPress Contributor Post Submission Vulnerability [ALERT]”

  1. Do you thing the site i built for a client using wordpress could be affected by this? they want to have a large folower base, and well.. Im not sure wordpress is the one for it if there is going to be comment spam.. it is http://mystichcg.com

    What about if you already allow some ones post, cant they now kust keep repost if you ahve your settings all screwed up? Ive noticed in the past that they tend to attack certain posts more frequently then others.. its weird..

    Reply
  2. That’s such a good article. Security is actually the firs thing you should have enabled on your blog.

    Reply
  3. I woke up this morning to find an email saying that klamka13303 had subscribed to my blog. I had never gotten an email like that before. The first thing that I did was go and check the site to make sure that everything was cool – then I did some sleuthing and came upon this post.

    Thanks for the info – klamka13303 has been deleted and “anyone can register” has been turned off – – even though I had it set to the “subscriber” level – it just feels safer that way.

    Thanks!

    Reply
  4. Its really a issue to worry about. Thanks for updating Pal…Will keep a close look on this particular post..

    Reply
  5. Well. My Blog didnt Get affected by this. but one of my friend blog affected by this. and I kept Default Registration Role is SUBSCRIBER.. any problem in that cause?

    Reply
  6. The fix was released in WordPress 3.0.5 http://wordpress.org/news/2011/02/wordpress-3-0-5/ and that was earlier this month.

    “Two moderate security issues were fixed that could have allowed a Contributor- or Author-level user to gain further access to the site.”

    This isn’t new and it’s always recommended that everyone upgrades their platforms, especially when security release is published.

    Cheers,
    Emil

    Reply
    • Maybe this isn’t new, but huge number of blogs getting affected day-by-day, we encountered many.

      P.S. They have been using the current version of WordPress (3.0.5). πŸ™‚

      Reply
  7. I think WP has already released this in WP 3.0.5?

    “WordPress 3.0.5 is now available and is a security hardening update for all previous WordPress versions.

    This security release is required if you have any untrusted user accounts, but it also comes with important security enhancements and hardening. All WordPress users are strongly encouraged to update.

    Two moderate security issues were fixed that could have allowed a Contributor- or Author-level user to gain further access to the site.”

    This happened to me also and I thought that the reason is because I had not upgraded to 3.0.5…

    Reply
  8. seen this New Hack on many blogs…at first i was also surprised what the Blog admins have posted but now realized its a security breach..

    Reply
  9. It is recommended to set user level to subscriber, if you have allowed users can register themselves option. If you have a multi authored blog, you can give author or contributor rights to selected and trusted people only.

    Reply
  10. Hey Pradeep,

    Thanks for making a post for this issue. I really think WordPress has to do something about this issue. I have changed the user role to subscriber for now and ya thank for the link to my status’ πŸ˜‰

    Reply

Leave a Comment