WordPress Blog Worm Attack
September 8, 2009
WordPress had this to say about the potential vulnerability of using an older version of WordPress (versions 2.8.3 and earlier):
“This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at the user’s page,”
“It then attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.”
We’ve updated all of our clients’ WordPress blogs to the latest version 2.8.4, which is immune to the worm. This service was provided free of charge to all our clients who use WordPress.
