Lengthy tale brief: If you downloaded and install WordPress 2.1.1 within the previous 3-4 days, your documents might consist of a safety and security make use of that was included by a biscuit, and also you need to update every one of your documents to 2.1.2 right away.
Longer description: Today we got a note to our safety and security mailing address regarding uncommon and also extremely exploitable code in WordPress. The concern was explored, and also it showed up that the 2.1.1 download had actually been changed from its initial code. We took the site down right away to explore what took place.
It was established that a biscuit had actually acquired user-level accessibility to among the web servers that powers wordpress.org, and also had actually made use of that accessibility to change the download data. We have actually secured down that web server for additional forensics, however right now it shows up that the 2.1.1 download was the only point touched by the strike. They changed 2 documents in WP to consist of code that would certainly enable remote PHP implementation.
This is the example you hope never ever occurs, however it did and also currently we’re taking care of it as finest we can. Although not all downloads of 2.1.1 were impacted, we’re proclaiming the whole variation harmful and also have actually launched a new version 2.1.2 that consists of small updates and also totally validated documents. We are additionally taking great deals of procedures to make certain something similar to this can not occur once more, not the least of which is specifically exterior confirmation of the download bundle so we’ll understand right away if something fails for any type of factor.
Lastly, we reset passwords for a variety of customers with SVN and also various other gain access to, so you might require to reset your password on the forums prior to you can login once more.
What You Can Do to Aid
If your blog site is running 2.1.1, please upgrade right away and also do a complete overwrite of your old documents, specifically those in wp-includes. Take a look at your close friends blog sites and also if any one of them are running 2.1.1 decline them a note and also, if you can, lend a hand and also aid them with the upgrade.
If you are a webhosting or network manager, block accessibility to “theme.php” and also “feed.php”, and also any type of inquiry string with “ix=” or “iz=” in it. If you’re a client at a webhosting, you might wish to send them a note to allow them find out about this launch and also the above details.
Many Thanks to Ryan, Barry, Donncha, Mark, Michael, and also Dougal for resolving the evening to determine and also resolve this issue, and also many thanks to Ivan Fratric for reporting it to begin with.
Inquiries and also Solutions
Due to the extremely uncommon nature of this occasion and also launch, we have actually established an e-mail address firstname.lastname@example.org that you can email inquiries to, and also we’ll be upgrading this access with even more details throughout the day.
Is variation 2.0 impacted?
No downloads were changed other than 2.1.1, so if you have actually downloaded and install any type of variation of 2.0 you need to be great.
What happens if we upgrade from SVN?
Absolutely Nothing in the Subversion database was touched, so if you update and also preserve your blog site using SVN there is no opportunity you downloaded and install the damaged launch data.