I’ve been informed through the automated annotation service that’s integrated in the popular Spamkarma 2 plugin for WordPress that everybody, regardless of the WordPress version used, should deactivate the “everyone can register” free guest registration immediately, due to security reasons. Apparently there’s a major security hole contained in WordPress in connection to this feature which is not yet closed (and apparently yet no patch available, otherwise the advice would sound different, right?).

Currently I’ve no further details available, but I’ll investigate this issue and will let you know if there’s any news about this.

At the current point of time you should follow this advice (you know, Dr. Dave (the developer of Spamkarma2) is one of the best known and the most valuable WordPress community contributors, so there definitely is an issue if he uses his very own plugin to give such an important advice!

Update: In the mean time, I think I was able to confirm the severity of this issue through mere sniffing through the WP sources. Gosh, I must admit that I never thought that WP could contain such a blatantly silly security error. I’m wondering why it hasn’t been exploited before!

For pretty obvious reasons, I won’t publish any details before there is a fix available, otherwise I’d expose hundreds of thousands of blogs to hackers’ grace. It’s aweful enough that it is so damn easy to trace that issue down once you know what you have to look for.

Update 2: Just to clear things up a little - I have not exploited the leak for real, I just examined the code, and I think I’ve found the code parts DrDaves refers to as being insecure. Regardless of this, whether I’ve identified the correct place for the issue or not, I trust DrDave as the developer of one of the best and most important plugins for WP that has ever been published, that he has thought about the publication of his warning thoroughly before doing so. On the other hand, it is a well known fact that Matt isn’t very fond of any sort of security leak disclosure for WP, and it is as well known that I am not very fond of the way he handles these issues (we’ve crossed swords about this some time ago, when several other issues have been discovered).

And yes, his message refers to WordPress alone, not to Spamkarma2! If it were a Spamkarma2 induced issue, he’d silently have the bug fixed, rolled out a new updated release and would’ve published a notice about an important new SK2 release instead, right?