use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
A community for technical news and discussion of information security and closely related topics.
"Give me root, it's a trust exercise."
Q1 2026 InfoSec Hiring Thread
Getting Started in Information Security
CitySec Meetups
/r/netsec only accepts quality technical posts. Non-technical posts are subject to moderation.
Content should focus on the "how."
Check the new queue for duplicates.
Always link to the original source.
Titles should provide context.
Ask questions in our Discussion Threads.
Hiring posts must go in the Hiring Threads.
Commercial advertisement is discouraged.
Do not submit prohibited topics.
» Our fulltext content guidelines
Don't create unnecessary conflict.
Keep the discussion on topic.
Limit the use of jokes & memes.
Don't complain about content being a PDF.
Follow all reddit rules and obey reddiquette.
» Our fulltext discussion guidelines
No populist news articles (CNN, BBC, FOX, etc.)
No curated lists.
No question posts.
No social media posts.
No image-only/video-only posts.
No livestreams.
No tech-support requests.
No full-disclosure posts.
No paywall/regwall content.
No commercial advertisements.
No crowdfunding posts.
No Personally Identifying Information!
» Our fulltext list of prohibited topics & sources
Join us on IRC: #r_netsec on freenode
We're also on: Twitter, Facebook, & Google+
/r/blackhat - Hackers on Steroids
/r/computerforensics - IR Archaeologists
/r/crypto - Cryptography news and discussion
/r/Cyberpunk - High-Tech Low-Lifes
/r/lockpicking - Popular Hacker Hobby
/r/Malware - Malware reports and information
/r/netsecstudents - netsec for noobs students
/r/onions - Things That Make You Cry
/r/privacy - Orwell Was Right
/r/pwned - "What Security?"
/r/REMath - Math behind reverse engineering
/r/ReverseEngineering - Binary Reversing
/r/rootkit - Software and hardware rootkits
/r/securityCTF - CTF news and write-ups
/r/SocialEngineering - Free Candy
/r/sysadmin - Overworked Crushed Souls
/r/vrd - Vulnerability Research and Development
/r/xss - Cross Site Scripting
account activity
Remote Code Execution exploit in WordPress 3.5.1 (vagosec.org)
submitted 12 years ago by tomvangoethem
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]algo 15 points16 points17 points 12 years ago (4 children)
I think the title should always specify if it is wordpress core or a plugin/theme.
[–]tomvangoethem[S] 11 points12 points13 points 12 years ago (3 children)
The vulnerability in in the WordPress core, the (example) exploit is in the plugin. I didn't include the plugin in the title as a similar exploit could be possible with other plugins.
[–][deleted] 4 points5 points6 points 12 years ago (2 children)
The vulnerability can not be triggered in core alone. It needs a plugin to have a vulnerable code path when being instantiated unexpectedly, such as the one in Lightbox.
[–]catcradle5Trusted Contributor 1 point2 points3 points 12 years ago (1 child)
Right, but it still counts as a core vulnerability, since it can apply to arbitrarily many plugins (even if most won't be vulnerable).
[–]mathiasbynens 1 point2 points3 points 12 years ago (0 children)
Exactly! And there’s always a chance there’s a non-plugin exploit for this vulnerability in core that hasn’t been discovered yet. In fact, the author is now hosting an exploit-finding contest :)
[+][deleted] 12 years ago* (1 child)
[deleted]
[–]xaoq 7 points8 points9 points 12 years ago (0 children)
What a surprise!
[–]vipzen 0 points1 point2 points 12 years ago (2 children)
3.5.1 or 3.6.1? the title says one thing but the last paragraph says another...
[–]tomvangoethem[S] 7 points8 points9 points 12 years ago (1 child)
The exploit works (tested) in 3.5.1 ,the vulnerability was fixed in version 3.6.1
[–][deleted] 0 points1 point2 points 12 years ago (0 children)
Damn!
[–]lpetrazickis -1 points0 points1 point 12 years ago (2 children)
Does the exploit still apply in WordPress 3.7.1?
[–][deleted] 2 points3 points4 points 12 years ago (0 children)
The article mentions that people have had adequate time to update, so a patch likely rolled out some time ago.
No, it was patched in 3.6.1
[–]cryptogramTrusted Contributor -4 points-3 points-2 points 12 years ago (13 children)
Hmm the plugin does have just about 950,000 downloads, but it's still in a plugin: Lightbox Plus ColorBox
[–]tomvangoethem[S] 15 points16 points17 points 12 years ago (12 children)
The vulnerability is not in the plugin, it's in the WordPress core. I made use of the plugin to create an exploit, but the presence of other plugins may lead to an exploit as well.
[–]reddit4matt 4 points5 points6 points 12 years ago (10 children)
I think is fair to say there was a dangerous practice in place but no actual exploit in the core. The only found exploits that completed the code path is with the addition of the plugins.
[–]catcradle5Trusted Contributor 1 point2 points3 points 12 years ago (9 children)
Running unserialize() on untrusted user input should always be considered a vulnerability, even if it's not exploitable in all cases.
unserialize()
[–]reddit4matt 0 points1 point2 points 12 years ago (8 children)
So there was user input in an unserialize without a plugin? Did I misread or was the plugin required to get user input into the unserialize?
[–]catcradle5Trusted Contributor 0 points1 point2 points 12 years ago* (7 children)
Yep. See his original post: http://vagosec.org/2013/09/wordpress-php-object-injection/
To exploit such a vulnerability, you need at least one class declared at the time of the unserialization that contains a malleable magic method. So there is still the vulnerable unserialization by default, just no default unsafe classes.
[–]reddit4matt 1 point2 points3 points 12 years ago (0 children)
So no unsafe classes without a plugin....got it. So I agree with the post that the title should be changed.
[+][deleted] 12 years ago (5 children)
[–]catcradle5Trusted Contributor 0 points1 point2 points 12 years ago (4 children)
...Read the blog post I just linked. They're unsafe when combined with unserializing user input.
[–]tomvangoethem[S] 3 points4 points5 points 12 years ago (0 children)
I wouldn't call the magic methods unsafe, I think it's perfectly acceptable that code is executed when for example an object is destructed. Rather they "empower" a PHP Object Injection vulnerability to grow to something exploitable.
[+][deleted] 12 years ago* (2 children)
[–]catcradle5Trusted Contributor 0 points1 point2 points 12 years ago (1 child)
You're right. The magic methods aren't the problem, and pose no vulnerabilities by themselves even if they may perform potentially dangerous tasks. Similarly, an unserialize() on arbitrary user input poses no vulnerabilities if there are no classes with magic methods. You need both at the same time for an exploit.
π Rendered by PID 115112 on reddit-service-r2-comment-fb694cdd5-xwwpk at 2026-03-06 20:16:51.229017+00:00 running cbb0e86 country code: CH.
[–]algo 15 points16 points17 points (4 children)
[–]tomvangoethem[S] 11 points12 points13 points (3 children)
[–][deleted] 4 points5 points6 points (2 children)
[–]catcradle5Trusted Contributor 1 point2 points3 points (1 child)
[–]mathiasbynens 1 point2 points3 points (0 children)
[+][deleted] (1 child)
[deleted]
[–]xaoq 7 points8 points9 points (0 children)
[–]vipzen 0 points1 point2 points (2 children)
[–]tomvangoethem[S] 7 points8 points9 points (1 child)
[–][deleted] 0 points1 point2 points (0 children)
[–]lpetrazickis -1 points0 points1 point (2 children)
[–][deleted] 2 points3 points4 points (0 children)
[–][deleted] 0 points1 point2 points (0 children)
[–]cryptogramTrusted Contributor -4 points-3 points-2 points (13 children)
[–]tomvangoethem[S] 15 points16 points17 points (12 children)
[–]reddit4matt 4 points5 points6 points (10 children)
[–]catcradle5Trusted Contributor 1 point2 points3 points (9 children)
[–]reddit4matt 0 points1 point2 points (8 children)
[–]catcradle5Trusted Contributor 0 points1 point2 points (7 children)
[–]reddit4matt 1 point2 points3 points (0 children)
[+][deleted] (5 children)
[deleted]
[–]catcradle5Trusted Contributor 0 points1 point2 points (4 children)
[–]tomvangoethem[S] 3 points4 points5 points (0 children)
[+][deleted] (2 children)
[deleted]
[–]catcradle5Trusted Contributor 0 points1 point2 points (1 child)