There is a bug in WordPress right now that is rather critical for anyone who uploads posts without immediately publishing. Simply by manipulating the URL any visitor can view all future, draft, or pending posts. Our site was vulnerable to this issue, but we patched it quickly because it could be used to retrieve the CyberNotes posts that we write ahead of time.
Why is this such a big deal? By gaining access to our future and unscheduled posts other sites could copy our articles. They would then look like the ones who originally wrote the article, and we would look like the copiers since our post would not publish until after theirs. To make things worse your future/draft posts may also be available in the format of an RSS feed.
–How it Works–
Without going into too much detail we’ll just say that WordPress is incorrectly checking to see whether a user is an administrator. Using Problogger.net as an example, you can visit this URL to reveal some of his upcoming posts:
If a website is not using the FeedBurner redirect plugin all of the future posts will be available through an RSS feed as well. The URL for that would look something like this:
That would not be good because there are thousands of sites out there that are setup to scrape feeds from websites, and then publish the content to their own site. This would give them easy access to all of your unpublished content.
–How to Fix It–
UPDATE: The workaround below didn’t do as much good as I thought, but a new version of WordPress has already been released which corrects the issue. We recommend upgrading your WordPress as soon as possible.
WordPress 2.3.2 is in the works, and the bug should be fixed by the time it is released. The How-To Geek tipped me off on a quick fix for all of you who just want a temporary workaround. Here’s what you have to do:
- In your blog’s WordPress files open the wp-includes\query.php file.
- Find line 37 which should look something like this:
- We need to make the wp-admin/ portion more specific. For us we changed it to cybernetnews.com/wp-admin/, but yours will be a bit different. Just go to the page where you login to your blog, and copy the portion after http:// and before wp-admin/. Then paste that before the wp-admin/ on line 37:
- That’s it! If you’re using a cache plugin you may need to clear the cache, or give it some time for the pages to be refreshed.
This is just a temporary fix, and when WordPress 2.3.2 is released you’ll obviously want to upgrade.
[via Black Hat Domainer]