Lengthy tale brief: If you downloaded and install WordPress 2.1.1 within the previous 3-4 days, your data might consist of a safety manipulate that was included by a biscuit, and also you need to update every one of your data to 2.1.2 instantly.
Longer description: Today we obtained a note to our safety mailing address concerning uncommon and also extremely exploitable code in WordPress. The problem was explored, and also it showed up that the 2.1.1 download had actually been customized from its initial code. We took the web site down instantly to explore what took place.
It was figured out that a biscuit had actually gotten user-level accessibility to among the web servers that powers wordpress.org, and also had actually utilized that accessibility to customize the download data. We have actually secured down that web server for additional forensics, yet right now it shows up that the 2.1.1 download was the only point touched by the strike. They customized 2 data in WP to consist of code that would certainly enable remote PHP implementation.
This is the example you hope never ever occurs, yet it did and also currently we’re managing it as ideal we can. Although not all downloads of 2.1.1 were influenced, we’re stating the whole variation hazardous and also have actually launched a new version 2.1.2 that consists of small updates and also totally confirmed data. We are likewise taking great deals of steps to make certain something similar to this can not take place once again, not the least of which is specifically exterior confirmation of the download plan so we’ll recognize instantly if something fails for any kind of factor.
Lastly, we reset passwords for a variety of individuals with SVN and also various other gain access to, so you might require to reset your password on the forums prior to you can login once again.
What You Can Do to Aid
If your blog site is running 2.1.1, please upgrade instantly and also do a complete overwrite of your old data, particularly those in wp-includes. Look into your pals blog sites and also if any one of them are running 2.1.1 decline them a note and also, if you can, lend a hand and also aid them with the upgrade.
If you are a webhosting or network manager, block accessibility to “theme.php” and also “feed.php”, and also any kind of inquiry string with “ix=” or “iz=” in it. If you’re a client at a webhosting, you might intend to send them a note to allow them find out about this launch and also the above info.
Many Thanks to Ryan, Barry, Donncha, Mark, Michael, and also Dougal for overcoming the evening to determine and also resolve this trouble, and also many thanks to Ivan Fratric for reporting it to begin with.
Inquiries and also Responses
Due to the extremely uncommon nature of this occasion and also launch, we have actually established an e-mail address firstname.lastname@example.org that you can email inquiries to, and also we’ll be upgrading this access with even more info throughout the day.
Is variation 2.0 influenced?
No downloads were modified other than 2.1.1, so if you have actually downloaded and install any kind of variation of 2.0 you need to be great.
Suppose we upgrade from SVN?
Absolutely Nothing in the Subversion database was touched, so if you update and also keep your blog site through SVN there is no possibility you downloaded and install the damaged launch data.