An unknown hacker has managed to access a WordPress server, installing a Trojan horse in the code of the popular downloadable blogging software.
The breach was discovered last Friday. WordPress creator Matt Mullenweg wrote on the WordPress blog that: "If you downloaded WordPress 2.1.1 within the past three to four days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately."
WordPress, the open source software that enables users to set up and publish postings to a blog, released a new version of its blog publishing software to combat the hacker attack.
Mullenweg did not say how the attacker managed to crack the WordPress system. Apparently he or she modified two files in the source code for the 2.1.1 update, adding a Trojan that would allow for remote execution of PHP code, Mullenweg wrote.
The vulnerability could allow an attacker access to the server running the blogging software, letting him execute code and install software.
"This is the kind of thing you pray never happens but it did and now we're dealing with it as best we can," Mullenweg wrote. His team is currently taking measures to prevent a similar breach in the future.
Security firm Symantec said it had uncovered less than 50 attacks exploiting the WordPress flaw. It rated the threat as 'low level' due to its limited reach and easy removal.
Any WordPress users running version 2.1.1 should upgrade immediately to overwrite all old files. Further tips for web hosters and network administrators can be found on the WordPress website. An email address for related questions has been set up: 21securityfaq@wordpress.org .
