PHP XMLRPC Remote Code Execution Vulnerability affecting Popular Blogging and CMS Platforms like WordPress 1.5.1.2 (and lower), PostNuke, Drupal, b2evolution TikiWiki etc.

PHPXMLRPC aka XML-RPC For PHP is a PHP implementation of the XML-RPC, web RPC protocol, and was originally developed by Edd Dumbill of Useful Information Company. As of the 1.0 stable release, the project has been opened to wider involvement and moved to SourceForge. PHPXMLRPC is used in a large number of popular web applications such as PostNuke, Drupal, b2evolution, and TikiWiki. Unfortunately PHPXMLRPC is vulnerable to a remote php code execution vulnerability that may be exploited by an attacker to compromise a vulnerable system.

Update:
WordPress 1.5.1.2 and lower installations are affected by a similar, not identical, vulnerability. It doesn’t use the above Library.

Solution:

An updated version of PHPXMLRPC can be downloaded from their official website. All users are advised to upgrade immediately. This is a serious vulnerability and it is being actively exploited in the wild.

WordPress users should immediately upgrade to WordPress 1.5.1.3.

For WordPress users already on 1.5.1.2 I have made a patch available to automatically upgrade to 1.5.1.3. You just have to unzip the file in WordPress root directory. And you are done! This is very suitable for users who made custom addition/changes to WordPress files and directories and others who simply do not wish to go through (or are afraid of going through) the whole rigmarole of a full upgrade.

If upgrade is not feasible for you at this time then delete the xmlrpc.php file from WordPress root directory as a workaround.

More details on the vulnerability and the exploit can be found here.