|
The [SANS Institute](http://sans.org/) has unconfirmed reports that all [WordPress](http://wordpress.org/) version (2.0.2 and prior) are vulnerable to a remote command execution vulnerability and an IP spoofing attack. By [sending a specially-crafted request](http://retrogod.altervista.org/wordpress_202_xpl.html), an attacker can cause servers which open user registration or open account information modification to execute arbitrary commands with the privilege of the web server process.
|
![[WordPress]](/u/2007/03/10/wordpress-logo.png)
|
| A flaw in the processing of client request headers allows the attacker to spoof their source IP in the WordPress logs, although web server logs should remain unaffected.
|
| **Updated Saturday June 3rd**
|
| Wordpress 2.0.3 is now available for [download](http://wordpress.org/download/) to address this exploit. The [upgrade](http://codex.wordpress.org/Upgrading_WordPress#Upgrade_2.0.2_to_2.0.3) worked flawlessly in less than 5 minutes.
|
