For those who don't know, WordPress 2.9.1 was released a couple days ago. As a result, the "WordPress 2.9.1 is available! Please update now." nag is plastered at the top of the admin interface. Since installing yet another unnecessary WordPress plug-in for something so simple seems pointless, I came up with a quick and easy to implement WordPress hack. Don't even bother continuing unless you're comfortable editing a core WordPress file.
IP Intelligence the ability to retrieve information about a commentators IP address without leaving the "edit-comments.php" page. Version 0.0.1 is capable of retrieving the following information:
Wow, four Wordpress plugin exploits released in under a week. Are these plugin authors really amateurs, or just trying to pwn Wordpress blogs?
That's right Wordpresss kiddies, two new vulnerabilities, and they're pretty nasty. Author Houssamix From H-T Team has released two remote SQL injection proof of concepts for WP-Cal and fGallery 2.4.1.
Milworm.com has released another Wordpress plugin vulnerability, this time it's WP-Forum 1.7.4. I'm no expert at deciphering exactly how exploits work, but this remote sql injection appears to grant the attacker administrative privileges. If you're using WP-Forum 1.7.4 or earlier on your Wordpress blog, uninstalling this vulnerable plugin is highly recommended.
Milworm has announced a new exploit for the Wordpress Plugin, WP-Filemanager 1.2. The hole lets attackers upload pretty much anything they want, including evil PHP scripts.