Milworm has announced a new exploit for the Wordpress Plugin, WP-Filemanager 1.2. The hole lets attackers upload pretty much anything they want, including evil PHP scripts.
For the details, check out: http://www.milw0rm.com/exploits/4844
If you don't use the WP-Filemanager plugin and your Wordpress installation is current, don't worry, you're in the clear. Otherwise, I highly recommend you uninstall the plugin all together, or j00r b0x will get pwned. It's times like this when I feel sorry for people with shared hosting accounts. Your site could fall victim to an attack because of some moron's inability to keep their site secure.
Please note, the exploit was released today, so there's still time, maybe. If you run WP-Filemanager 1.2, fix it now.
In addition, the following exploits were released and are available on Milworm's web-site:
- PortalApp 4.0 (SQL/XSS/Auth Bypasses) Multiple Remote Vulnerabilities
- XOOPS mod_gallery Zend_Hash_key + Extract RFI Vulnerability
- Uebimiau Web-Mail Remote File Disclosure Vulnerability
- RunCMS Newbb_plus <= 0.92 Client IP Remote SQL Injection Exploit
- MODx CMS 0.9.6.1 Multiple Remote Vulnerabilities
Ahhh, what a great way to bring in the new year.
Word Count: 211
