WP 2.3.3 does not close injection spam loophole

Over a month ago, I’d upgraded to WordPress v2.3.3 which addressed a security hole that was permitting spammers to “inject” spammy links directly into posts via xmlrpc.php, and thereby avoid the “nofollow” attribute that is automatically applied to links in comments (to deprive comment spammers of the PageRank mojo they seek). The spam was surrounded by “noscript” HTML tags, which meant that they were invisible in the browser, thus hiding the links from detection and removal. However, subscribers to the blog feed can see the spam since RSS readers ignore javascript markup.

However, on my latest post at my geekblog, I was hit by the injection spam again. I have sent the following email to wordpress security (security @ wordpress.org)

Hello,

I have a WordPress blog at domain http://haibane.info which was upgraded to 2.3.3 as soon as the security release came out last month. I had experienced the injection spam attack detailed here:

http://wordpress.org/support/topic/151368

and upgraded to 2.3.3, but on my most recent post I have seen the same spam attack occur. The post is here:

Google 42

and I have already removed the injection spam, but am reprinting it below :

<noscript><a href="http://www.casinomejor. es/casino-online- basico.html">casino online</a> mirar sus oponentes h�bitos.</noscript>

<noscript>Il <a href="http://www.qualitapoker .com/neteller-game-poker.html">http://www.qualitapoker .com/neteller-game- poker.html</a> � un gioco di carte.</noscript>

(there were two separate injections into the same post)

I am disabling user registration as a precautionary measure but it is clear that the 2.3.3 release did not solve the problem.

I recommend closing user registration on all WP blogs for the time being. Peter’s captcha plugins make user registration obsolete for commenting, anyway.

3 thoughts on “WP 2.3.3 does not close injection spam loophole”

  1. I upgraded that blog the day of the 2.3.3 release, because I’d been hit before. So merely upgrading the blog doesn’t remove the vulnerability?

    I am going ahead and changing the passwords. Thats probably best practice anyway.

  2. Cookie hijacking is different than they were using before wasn’t it? Funny they’d go through the trouble of getting that and then fall back to the same sort of spam as before.

Comments are closed.