marc_dutch123

@josephscott
Information has been made available to wordpress already this year by CoreLabs around june/july.

@rwboyer
“You are technically correct but the big damage comes in the xmlrpc.php” I agree.

“see if I can track this fool down.”
That’s going to be problem because I already have seen 3 different ip addresses on our site and have seen about 4 different ones posted on the forums here…

The other thing is, there are proof of concepts out there on the internets that also work with the problem where admin.php allows basic registered users to fire php files that only an administrator should be able to do… so I guess we aren’t out of the woods just yet.

Just to get things clear here, removing/renaming or changing file permissions on the file: xmlrpc.php is NOT enough!

The script first makes a simple user (but because of an error in admin.php not easily fixed by wordpress (plugin issues)) the simple user is able to fire wp-admin/options-permalink.php and change the permalink… it does this because it needs the weird eval/base64 thing to actually get the code fired by xmlrpc.php.
To stop the script in its track you only need to either change the name of options-permalink.php or change its permissions… and to be sure do the same thing with xmlrpc.php

I cannot verify but I highly suspect this problem is still in the latest build of this moment.

The best quick fix I found is renaming:
wp-admin/options-permalink.php
/xmlrpc.php

to something else and wait till the wordpress guys fix this… there were 4 attempts today on my website…