A recent distribution of the popular blogging software WordPress was compromised during a server intrusion, the development team said late Friday. All WordPress users who have downloaded and installed version 2.1.1 are urged to immediately upgrade to version 2.1.2. Earlier versions of WordPress are not affected.
"This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress," developer Matt Mullenweg wrote on the WordPress blog. "The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened. It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. ... They modified two files in WP to include code that would allow for remote PHP execution."
The compromised code was distributed through the wordpress.org site for 3 to 4 days before the issue was detected. "Although not all downloads of 2.1.1 were affected, we’re declaring the entire version dangerous," said Mullenweg. "If your blog is running 2.1.1, please upgrade immediately and do a full overwrite of your old files, especially those in wp-includes. ... If you are a web host or network administrator, block access to 'theme.php' and 'feed.php', and any query string with 'ix=' or 'iz=' in it."
WordPress is an open source blogging application that has become widely used, especially since its primary competitor, the commercial blogging app Movable Type, raised its prices in 2004.
PHP-driven blogging and CMS applications have become a popular target for hackers, who seek to exploit installations that have not patched published vulnerabilities. The WordPress issue is more problematic in that it involves a break-in to a development server and the distribution of compromised code that left users vulnerable to the crackers who installed the exploit.