Paypal running wordpress 2.3.3 - Bug Bounty #1

Paypal is a well known company that is used for quick payment transactions. Because of this vunereablities on their webpage are especially sensitive. During our leisure time we found a couple of potential dangerous security issues.

First on to be found was an outdated Wordpress installation. Wordpress is a well know bloggingsoftware which is a very close to a content management system (CMS). Therefor companies that want to keep their customer frequently updated have an interesst in software like that. We found out that the outdated version of the Wordpress was published Feburary 2008. It seems like it has not been updated for almost 4 and a half years (We have discovered that issue on the 15th of october 2012). That is a “No Go” for a company like Paypal. The vulnerable wordpress installation was installed under the domain “”:

Screenshot of the outdated wordpressinstallation at Paypal

We also got some more backroung inforation on and found not only one but three security breaches with the highest CVE score of 10.

Overview of the security issues in wordpress 2.3.3


We reported our findings to the Paypals security department. Sometime later we recieved an E-Mail that informed us to be the first to find that Vunerability. Nevertheless it took Paypal another two months to finally update the wordpress installation. It is dissapointing and at the same time shocking that paypal was not able to update the software they use. Eventough the problem was eventually fixed, a company that deals with money has to be trusted. We hope that Paypal will response to issues like that more quickly in the future.

The team of