[wp-hackers] PCI Compliance and Wordpress 2.9.2

Thomas Belknap dragonfly at dragonflyeye.net
Wed May 19 19:33:28 UTC 2010

We've been working on PCI compliance issues ourselves. The thing is: if
WordPress does not govern credentialing for PCI-governed areas of your site
(I should hope not!), then I don't see why this is an issue. Provided that
you have a decent records retention policy for handling CC info, there
should be no real concern.

My advice would be to speak with a rep rather than relying on the test
results. Much of the problem can be avoided by keeping CC information in an
entirely separate database (the only issue I can think of is the possiblity
that someone could use WP backup tools to get a copy of the database, but if
the CC isn't in that database, there should be no harm.).

I've yet to run across any PCI flags that are tripped by WP (my job doesn't
use it, unfortunately). I'll be very interested to see what else you find!
Please keep this list updated, it's a huge issue for a lot of companies.

On Wed, May 19, 2010 at 3:23 PM, Katrina Tustin <Katrina at jstreettech.com>wrote:

> Hi,
> I am hoping that someone can help us.  We have an e-commerce site as well
> as a WordPress blog.  We have been unsuccessful in passing PCI compliance
> due to a security issue with the blog.  This is the error that is received
> from Security Metrics.  We are running 2.9.2.  Any help would be
> appreciated.
> Synopsis : The remote web server contains a PHP application that is
> affected by an information disclosure issue. Description : The version of
> WordPress on the remote host does not properly check for administrative
> credentials in the 'is_admin()' function in 'wp-includes/query.php'. Using a
> specially-crafted URL that contains the string 'wp-admin/', an attacker may
> be able to leverage this issue to view posts for which the status is
> classified as 'future', 'draft', or 'pending', which would otherwise be
> available only to authenticated users. See also :
> http://www.securityfocus.com/archive/1/4 85160/30/0/threaded<
> http://www.securityfocus.com/archive/1/485160/30/0/threaded>
> http://trac.wordpress.org/ticket/5487 Solution: Unknown at this time. Risk
> Factor: Medium  / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
> BID : 26885 Other references : OSVDB:39518, Secunia:28130 [More]
> Thank You,
> Katrina
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list