This time the exploit uses global variables in “/wp-trackback.php”. The exploit can be used only if the “register_globals” variable on the host PHP server is on (e.g. “/etc/php.ini” has “register globals=on”) and the Trackbacks on the Wordpress<=2.0.6 are enabled.

On success, the expoit gets the hash password of admin user.

The first thing to do if you want to defend your blog is to check whether the “register_globals” variable on your PHP server is enabled. You can open a SSH session to your server and check this with:
php -i |grep register_globals -i
If the server outputs something like register_globals => Off => Off, then you don’t have to worry about this exploit. If you don’t have a SSH access to your machine, you can check if this variable is switched on by creating for example info.php file on the server pasting the following line on it:

<? phpinfo(); ?>
Then make a request to this file from your browser: http://yourhost/info.php, and look for the variable “register_globals”.

If the “register_globals” variable is On, this means that all arguments that are passed through GET and POST methods to all of your .php scripts are automatically becoming variables that can be used in the scripts - the fact is used in this exploit.

If you cannot disable this setting on the PHP server, the only thing that can save your blog is to disable the trackbacks. Usually this option can be found in the “Options/Discussion/ Allow link notifications from other Weblogs (pingbacks and trackbacks.)”

Here’s the Rgod’s link to the exploit - link

So, that is for now. We are waiting again for official patch.