WordPress upgrades to fix flaw that allows malicious PHP code execution

By

Developers have released an updated version of WordPress after hackers compromised the popular blog-publishing tool, opening the door for remote code execution.


Attackers manipulated the code of WordPress 2.1.1 – a free personal publishing platform written in the programming language PHP, WordPress developer Matt Mullenweg said Friday in a company blog. The cybercrooks gained user-level access to one of the servers controlling wordpress.org and altered two files that would allow remote PHP code to be executed.

"This is the kind of thing you pray never happens, but it did and now we’re dealing with it as best we can," Mullenweg said. "Although not all downloads of 2.1.1 were affected, we’re declaring the entire version dangerous and have released a new version 2.1.2 that includes minor updates and entirely verified files."

Sites that host WordPress blogs should consider blocking access to the compromised files – theme.php and feed.php, he suggested.

"These files contain instructions that can grab the parameter of the WordPress hosting service URL and pass it to either the PHP script engine or the command program of the operating system, allowing the attacker to execute a remote command on the server running the hacked version of WordPress," Masaki Suenaga said today on the Symantec Security Response Weblog.

However, users who visit websites running on the same server as the compromised WordPress software should not be at risk, Suenaga said. The risk is for the people running the websites (with WordPress software) and running the servers (controlling WordPress), Mullenweg told SCMagazine.com today.

He said he was not aware of any exploits targeting the vulnerability, although he expects at least some users to be impacted because the affected version was downloaded thousands of times. WordPress receives about 10,000 downloads per day and is used by The Wall Street Journal, The New York Times and The Financial Times, he said.

"They didn't seem terribly sophisticated," Mullenweg said of the intruders who failed to include a "phone-home" mechanism in their code.

"Generally when there are break-in attempts, they remain under the radar to create a botnet of some sort," he said. "They didn't cover their tracks very well. It could've been much worse. If they were really good, we would have never noticed."




Got a news tip for our journalists? Share it with us anonymously here.
Tags:
allowscodeexecutionfixflawmaliciousphpsecuritythattoupgradeswordpress

Sponsored Whitepapers

See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy

Events

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames
Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?