WordPress 2.1.1 hazardous, Update to 2.1.2 – San Francisco

WordPress 2.1.1 hazardous, Update to 2.1.2 – San Francisco

Lengthy tale brief: If you downloaded and install WordPress 2.1.1 within the previous 3-4 days, your data might consist of a protection make use of that was included by a biscuit, as well as you must update every one of your data to 2.1.2 right away.

Longer description: Today we got a note to our safety and security mailing address regarding uncommon as well as extremely exploitable code in WordPress. The problem was examined, as well as it showed up that the 2.1.1 download had actually been customized from its initial code. We took the internet site down right away to examine what took place.

It was identified that a biscuit had actually gotten user-level accessibility to among the web servers that powers wordpress.org, as well as had actually utilized that accessibility to customize the download documents. We have actually secured down that web server for additional forensics, however right now it shows up that the 2.1.1 download was the only point touched by the strike. They customized 2 data in WP to consist of code that would certainly enable remote PHP implementation.

This is the example you hope never ever takes place, however it did as well as currently we’re taking care of it as finest we can. Although not all downloads of 2.1.1 were influenced, we’re proclaiming the whole variation hazardous as well as have actually launched a new version 2.1.2 that consists of small updates as well as completely confirmed data. We are likewise taking great deals of actions to make sure something similar to this can not occur once more, not the least of which is specifically exterior confirmation of the download plan so we’ll recognize right away if something fails for any kind of factor.

Lastly, we reset passwords for a variety of individuals with SVN as well as various other gain access to, so you might require to reset your password on the forums prior to you can login once more.

What You Can Do to Assist

If your blog site is running 2.1.1, please upgrade right away as well as do a complete overwrite of your old data, particularly those in wp-includes. Take a look at your good friends blog sites as well as if any one of them are running 2.1.1 decrease them a note as well as, if you can, join in as well as assist them with the upgrade.

If you are a webhosting or network manager, block accessibility to “theme.php” as well as “feed.php”, as well as any kind of question string with “ix=” or “iz=” in it. If you’re a consumer at a webhosting, you might intend to send them a note to allow them understand about this launch as well as the above info.

Many Thanks to Ryan, Barry, Donncha, Mark, Michael, as well as Dougal for resolving the evening to find out as well as resolve this trouble, as well as many thanks to Ivan Fratric for reporting it to begin with.

Inquiries as well as Solutions

As a result of the extremely uncommon nature of this occasion as well as launch, we have actually established an e-mail address 21securityfaq@wordpress.org that you can email inquiries to, as well as we’ll be upgrading this access with even more info throughout the day.

Is variation 2.0 influenced?

No downloads were changed other than 2.1.1, so if you have actually downloaded and install any kind of variation of 2.0 you must be great.

What happens if we upgrade from SVN?

Absolutely Nothing in the Subversion database was touched, so if you update as well as keep your blog site by means of SVN there is no possibility you downloaded and install the damaged launch documents.


Cogknockers is a San Francisco WordPress Development Agency with 20+ Years Experience.  WordPress Design is at the core of our services.

Share this post

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email

0

Scroll to Top