Details are emerging about a new vulnerability in WordPress. An unpatched flaw in WordPress may lead to SQL injection.
It was recently discovered that the search function within WordPress fails to properly sanitize input based on different character sets. Input passed to the "s" parameter in index.php (when "exact" and "sentence" are set to "1") is not properly sanitized before being used in SQL queries.
The currently known character sets which are exploitable include Big5 and GBK. Additional character sets may also be exploitable.
Alone this attack can result in exposure of all database content without the need to authenticate. However, if combined with other exploits (previous WordPress exploits such as cookie authentication vulnerability), any remote user can obtain WordPress admin privilege.
Exploit code for this vulnerability has been publicly released.
While currently unpatched, workarounds do exist.
More information can be found below.
Posted by Nathan Heck on December 14, 2007, in Handlers Log.