[wp-hackers] WP 3.0.1 Multiple Sites -- SQL Injection Vulnerability

Chuck Harris charrisjr at gmail.com
Wed Oct 6 17:59:02 UTC 2010


Any experience with or insight regarding the following would be helpful.

Thank you in advance,
Chuck Harris


We are experimenting with the new multiple sites feature in WP 3.x.  We
recently discovered that our site has a SQL injection vulnerability.  One of
the attack sequences was as follows:


When changing the 1 to a 2 and using the url:


Returns a custom 'Not Found' page. This change shows that the server is
returning different data based upon the results of the sql string it is

Has anyone else experienced similar?  Is there a remedy?  Should we be
concerned?  We are currently searching log files to determine whether or not
the attack was successful.

More information about the wp-hackers mailing list