Whomever broke into the WordPress network gained user-level access to one of the servers that powers wordpress.org, according to a blog by WordPress Founder Matt Mullenweg. The intruder then used that access to modify the download file, according to an advisory on the WordPress Web site. The hacker added malicious code to the source code for the 2.1.1 update, adding a Trojan that would allow for remote PHP execution. PHP is embedded scripting language that creates dynamic content on Web pages.
WordPress did not disclose how many users downloaded the infected version.
"This is the kind of thing you pray never happens, but it did and now we're dealing with it as best we can," says Mullenweg in his blog. "Although not all downloads of 2.1.1 were affected, we're declaring the entire version dangerous and have released a new version 2.1.2 that includes minor updates and entirely verified files. We are also taking lots of measures to ensure something like this can't happen again, not the least of which is minutely external verification of the download package so we'll know immediately if something goes wrong for any reason."
The new software release can be found at the WordPress download site. The company has also set up this e-mail address to field related questions: [email protected]
The U.S.-CERT is advising people to upgrade immediately.
Masaki Suenaga, a security response engineer at Symantec, wrote in a blog that while a Web server may be running the hacked version of the software, a user who visits a Web page on a server containing the hacked WordPress software is not at risk, so long as the server has not been compromised by other malicious threats downloaded by the back door.