Steven J. Murdoch has discovered a vulnerability in WordPress 2.5 that may allow a registered user to gain admin level access on the blog. Only WP 2.5 blogs that permit users to register user accounts are vulnerable.
According to Steven:
This vulnerability exists because it is possible to modify
authentication cookies without invalidating the cryptographic
integrity protection.If a Wordpress blog is configured to freely permit account creation,
a remote attacker can gain Wordpress-administrator access and then
elevate this to arbitrary code execution as the web server user.
The fix is fairly straight forward and WordPress have released a fix in WordPress 2.5.1.
Please note this vulnerability is different to [blogsecurity.net]
Steven’s Advisory is available here.