[h4ck_th3_pl4n3t]

The answer is likely wordpress, because its default wp_hash algorithm is still MD5.

[0points]

> The answer is likely wordpress, because its default wp_hash algorithm is still MD5.

That's only true if you ignore all the details.

As usual, you cannot make a coherent understanding on just about any subject by reading headlines alone. Life would have taught you by now that the devil is in the details.

WP uses salt and multiple rounds of hashing, fully mitigating the md5 collisions being topic of discussion here.

So no, wp doesn't "use md5" in the sense that they would be vulnerable to this type of attack.

Source: https://developer.wordpress.org/reference/functions/wp_hash_...

[h4ck_th3_pl4n3t]

Your source described wp_hash_password(), not wp_hash().

As the OP article/PoC is about hashing uploaded files, not passwords btw, I think you should read it again.

Because as I pointed out, wp_hash() is used to check against uploaded files.

Oh, and source: https://developer.wordpress.org/reference/functions/wp_hash/

And as I cannot resist quoting you for trying to smartass while literally not having read the source code the PoC was about:

> As usual, you cannot make a coherent understanding on just about any subject by reading headlines alone. Life would have taught you by now that the devil is in the details.

[downtown_]

This is not related to password hashing.,.

[high_na_euv]

Literally in this "article"

>Can use it bypass some cached webshell detections.

[eptcyka]

> As usual, you cannot make a coherent understanding on just about any subject by reading headlines alone.

The amount of sweet, sweet irony displayed here will make me diabetic. Did you read the article at all? Salting? What are you on about?

Honestly, it feels that some HN commenters are LLMs instructed to defend a given entity.