Unquote - 0-Day Protection


Read the advisory about WordPress 3.x script injection here.

In case you can't update to the latest versions, you can protect your WordPress site from the problem by disabling the texturization feature. The original advisory details how this can be done on source-code level.

Our Unquote plugin can be alternatively used for this purpose. Download it here.

Vulnerability test


To test whether your WordPress server is vulnerable, copy the code below and paste it as a comment to a WordPress blog post or page.

If you have a vulnerable version and don't use any workaround, the posted comment includes a flashing image and a link to this page. Normally images aren't allowed in comments.

If you are not vulnerable, the comment shows as the text "NOT VULNERABLE" (plus some punctuation side-effects).

The code should be copied exactly as it's here, without breaking it to several lines.

We can't give a warranty that this test is 100% reliable. It also relies on the Tinypic service so the image may not show if there are connectivity or other problems.

The preferred solution should be applying the official patch from the vendor.

Image source: Artlung, Amiga Guru Meditation