WordPress 2.6.3 has been officially announced a few days. According to the announcement, the problem occurred on the snoopy library, which used to fetch the feeds shown in the Dashboard on the Administration Panel.
It’s a few update anyway, which only related to the vulnerability as reported by Secunia Advisories.
A vulnerability has been discovered in Snoopy, which can be exploited by malicious people to compromise a vulnerable system.
Input passed to the “_httpsrequest()” function isn’t properly sanitized before being used in an “exec()” call. This can be exploited to inject arbitrary shell commands via a script calling the “fetch()” or “submit()” function with an URL controlled by the attacker.
Although it was a small and low-risk vulnerability, it should be better to upgrade the engine into latest version to prevent any malicious usage. If so, how to easily upgrade WP 2.6.2 into WP 2.6.3 ?
- SSH into remote server where blog has hosted
- Navigate into wp-includes folder
[code language=’cpp’]wget -m -nd http://trac.wordpress.org/export/9310/tags/2.6.3/wp-includes/class-snoopy.php
wget -m -nd http://trac.wordpress.org/export/9310/tags/2.6.3/wp-includes/version.php[/code]
If you have no access to the SSH account, replace the above file using FTP client.