[wp-hackers] WP 3.0.1 Multiple Sites -- SQL Injection Vulnerability

Patrick Laverty patrick_laverty at brown.edu
Sat Oct 9 19:49:41 UTC 2010

>> In the future, I would have thought it were obvious, but:
>> Don't send potential vulnerabilities over a public mailing list or post it
>> to a public place.
>> It should go through the core team at security at wordpress.org.
>> See also: http://codex.wordpress.org/FAQ_Security.
> Lame. If it were actually a security problem, individuals can react wayy
> faster than the core team to fix their sites.

Every individual WP blog admin is on this list?  All it takes is one
or two people with bad intentions to get hold of the vulnerability
before the owners do.  Do you want a knowledgeable cracker knowing
about a vulnerability in your blog immediately?  Maybe you're
traveling or just out to dinner when someone posts a vulnerability
here and a less responsible person reads it and somehow chooses your
blog to go after.

Andrew's right, the responsible thing to do is to report the possible
vulnerability to the vendor and give them a reasonable amount of time
to respond.  If they respond incorrectly or don't at all, then sure,
blast it out to the public.

More information about the wp-hackers mailing list