Patch/Configuration Management, Vulnerability Management

WordPress upgrades to fix flaw that allows malicious PHP code execution

Developers have released an updated version of WordPress after hackers compromised the popular blog-publishing tool, opening the door for remote code execution.

Attackers manipulated the code of WordPress 2.1.1 – a free, open-source personal publishing platform written in the programming language PHP, WordPress developer Matt Mullenweg said Friday in a company blog. The cybercrooks gained user-level access to one of the servers controlling wordpress.org and altered two files that would allow remote PHP code to be executed.

"This is the kind of thing you pray never happens, but it did and now we’re dealing with it as best we can," Mullenweg said. "Although not all downloads of 2.1.1 were affected, we’re declaring the entire version dangerous and have released a new version 2.1.2 that includes minor updates and entirely verified files."

Sites that host WordPress blogs should consider blocking access to the compromised files – theme.php and feed.php, he suggested.

"These files contain instructions that can grab the parameter of the WordPress hosting service URL and pass it to either the PHP script engine or the command program of the operating system, allowing the attacker to execute a remote command on the server running the hacked version of WordPress," Masaki Suenaga said today on the Symantec Security Response Weblog.

However, users who visit websites running on the same server as the compromised WordPress software should not be at risk, Suenaga said. The risk is for the people running the websites (with WordPress software) and running the servers (controlling WordPress), Mullenweg told SCMagazine.com today.

He said he was not aware of any exploits targeting the vulnerability, although he expects at least some users to be impacted because the affected version was downloaded thousands of times. WordPress receives about 10,000 downloads per day and is used by The Wall Street Journal, The New York Times and the Financial Times, he said.

"They didn't seem terribly sophisticated," Mullenweg said of the intruders who failed to include a "phone-home" mechanism in their code.

"Generally when there are break-in attempts, they remain under the radar to create a botnet of some sort," he said. "They didn't cover their tracks very well. It could've been much much worse. If they were really good, we would have never noticed."

Click here to email reporter Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.