My bad karma must not have totally eclipsed my general luck, as the one time I decide not to upgrade immediately to the new version of WordPress is the time that the WordPress download site is hacked and the code modified to include a PHP exploit!

from WordPress.org:

This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened.

It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution.

Luckily, drzy has been sitting at version 2.0.9, due primarily to laziness, and compounded by the fact that they released a trillion versions within a week.

Is version 2.0 affected?

No downloads were altered except 2.1.1, so if you’ve downloaded any version of 2.0 you should be fine.

So, if you are one of the unlucky early adopters, click the first link and download version 2.1.2 to remedy your compromised site.

The peeps at Wordpress decided to to fix a php vulnerability and was couple more things with a new release of version 2.0.7. They reported that 2.0.6 would be the last release before 2.1, but I guess it was severe enough that an immediate patch was warranted.

The 2.1 release is still set for the 21st of the month, so we’ll see how that goes.

drzy has been updated. Again, if anything looks screwy, see you in St. Louis send me a message.