rgod has discovered a vulnerability in WordPress, which can be exploited by malicious users to compromise a vulnerable system.
Input passed to various fields when registering or updating the user profile isn't properly sanitised before being stored in PHP scripts in the wp-content/cache/userlogins/ and wp-content/cache/users/ directories inside the web root. This can be exploited to inject and execute arbitrary PHP code via the newline character.
It is also possible to supply a spoofed IP address when registering by setting the "PC_REMOTE_ADDR" HTTP header.
The vulnerability has been confirmed in version 2.0.2. Prior versions may also be affected.
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to email@example.com