The bug is actually in WordPress 2.0.x (update coming soon) but the way Subscribe to Comments was calculating its security hashes (so other people can’t unsubscribe you), they could be manipulated to make it easier to take advantage of the bug in WordPress.
In order to be vulnerable, the following needs to be true:
- WordPress 2.0, 2.0.1, or 2.0.2
- User registration on (it is off by default)
- WP’s default object cache on (it is off by default in WP 2.0.2)
- One of either:
- Weak MySQL password (i.e. “guessable” by dictionary attack, or blank)
- Subscribe to Comments 2.0.0-2.0.2
Thankfully, very few WordPress installs will meet these criteria, especially since the WP object cache can only be turned on by editing
Other changes in Subscribe to Comments 2.0.4 include a switch from user levels to capabilities (you need
manage_options to have full control of Subscribe to Comments), and several small behind the scenes improvements. Hopefully, you won’t notice that anything has changed!