WordPress 2.1.1 Dangerous

3 Mar 2007

If you have downloaded WordPress 2.1.1 sometimes between Feb. 27 and Mar. 2, 2007, your blog may have a security exploit added by a cracker who hacked wordpress.org servers:

This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened.

It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution.

Fix if you're running version 2.1.1: upgrade to 2.1.2 immediately.

Posted by François Nonnenmacher on Saturday, March 3, 2007 at 11:57 AM

Filed in and tagged

1 Comment

Leave a comment

Recent Entries

  • Push Table

    The Push Table is exactly what I need for my desk, I love the concept!...

  • Velib feminine and charming?

    It's not obvious why the attachment of baskets to bicycles should be gender-related, but in fact one observes that 100% of the bicycles with baskets...

  • How to force the update from .Mac to MobileMe

    If you're a .Mac subscriber and want to migrate to MobileMe but Apple Softare Update is not giving you any joy with the required update,...

  • Monoculture lameness

    Software compatibility problems marred the launch of the iPhone 3G at Apple's flagship store in London, where customers had difficulty activating their new phones. Apple...

  • Wikis the milky way

    Milk can help you learn things about wikis. But wikis can teach you things about milk too ;-). [Thanks to Martin for the link.]...