"This is the kind of thing you pray never happens, but it did and now we’re dealing with it as best we can," Mullenweg said. "Although not all downloads of 2.1.1 were affected, we’re declaring the entire version dangerous and have released a new version 2.1.2 that includes minor updates and entirely verified files."
Sites that host WordPress blogs should consider blocking access to the compromised files – theme.php and feed.php, he suggested.
"These files contain instructions that can grab the parameter of the WordPress hosting service URL and pass it to either the PHP script engine or the command program of the operating system, allowing the attacker to execute a remote command on the server running the hacked version of WordPress," Masaki Suenaga said today on the Symantec Security Response Weblog.
However, users who visit websites running on the same server as the compromised WordPress software should not be at risk, Suenaga said. The risk is for the people running the websites (with WordPress software) and running the servers (controlling WordPress), Mullenweg told SCMagazine.com today.
He said he was not aware of any exploits targeting the vulnerability, although he expects at least some users to be impacted because the affected version was downloaded thousands of times. WordPress receives about 10,000 downloads per day and is used by The Wall Street Journal, The New York Times and The Financial Times, he said.
"They didn't seem terribly sophisticated," Mullenweg said of the intruders who failed to include a "phone-home" mechanism in their code.
"Generally when there are break-in attempts, they remain under the radar to create a botnet of some sort," he said. "They didn't cover their tracks very well. It could've been much worse. If they were really good, we would have never noticed."