However, on my latest post at my geekblog, I was hit by the injection spam again. I have sent the following email to wordpress security (security @ wordpress.org)
I have a WordPress blog at domain http://haibane.info which was upgraded to 2.3.3 as soon as the security release came out last month. I had experienced the injection spam attack detailed here:
and upgraded to 2.3.3, but on my most recent post I have seen the same spam attack occur. The post is here:
and I have already removed the injection spam, but am reprinting it below :
<noscript><a href="http://www.casinomejor. es/casino-online- basico.html">casino online</a> mirar sus oponentes hï¿½bitos.</noscript>
<noscript>Il <a href="http://www.qualitapoker .com/neteller-game-poker.html">http://www.qualitapoker .com/neteller-game- poker.html</a> ï¿½ un gioco di carte.</noscript>
(there were two separate injections into the same post)
I am disabling user registration as a precautionary measure but it is clear that the 2.3.3 release did not solve the problem.
I recommend closing user registration on all WP blogs for the time being. Peter’s captcha plugins make user registration obsolete for commenting, anyway.
3 thoughts on “WP 2.3.3 does not close injection spam loophole”
I upgraded that blog the day of the 2.3.3 release, because I’d been hit before. So merely upgrading the blog doesn’t remove the vulnerability?
I am going ahead and changing the passwords. Thats probably best practice anyway.
Cookie hijacking is different than they were using before wasn’t it? Funny they’d go through the trouble of getting that and then fall back to the same sort of spam as before.
Comments are closed.