Hi, I'm Paul

I'm a software geek, photographer, yogi and dog lover

WordPress Remote Command Execution

1 minutes
June 3, 2006
The [SANS Institute](http://sans.org/) has unconfirmed reports that all [WordPress](http://wordpress.org/) version (2.0.2 and prior) are vulnerable to a remote command execution vulnerability and an IP spoofing attack. By [sending a specially-crafted request](http://retrogod.altervista.org/wordpress_202_xpl.html), an attacker can cause servers which open user registration or open account information modification to execute arbitrary commands with the privilege of the web server process. ![[WordPress]](/u/2007/03/10/wordpress-logo.png)
A flaw in the processing of client request headers allows the attacker to spoof their source IP in the WordPress logs, although web server logs should remain unaffected.
**Updated Saturday June 3rd**
Wordpress 2.0.3 is now available for [download](http://wordpress.org/download/) to address this exploit. The [upgrade](http://codex.wordpress.org/Upgrading_WordPress#Upgrade_2.0.2_to_2.0.3) worked flawlessly in less than 5 minutes.