Science

Attacker adds vulnerability to WordPress blog software

The maker of WordPress blogging software is urging users to get the latest update immediately after an attack on its server ended with a hacked version posted for download.

The maker of WordPress blogging software is urging users to get a "highly critical" update immediately after an attack on its server ended with a "dangerous" version posted for download.

Danish computer security firm Secunia ApS reported Mondaythe security-compromised version 2.1.1 of the WordPress software, which would have been available for download Feb. 25 or later,could allow an attacker to issue commands to an infected computer, retrieve passwords and other information or alter and delete files.

The vulnerability would only affect a computer server on which the compromised software is running. Secunia rated the problem "highly critical," the second-highest severity on its five-point scale.

A fixed version of WordPress, update 2.1.2, was released Friday.

"If you downloaded WordPress 2.1.1 within the pastthree, fourdays, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately," Matthew Mullenweg, the original software creator, wrote in a post to the WordPress.org developer blog Friday.

"Cracker" is computer slang for a hacker who breaks hardware or software security, often with malicious intent, and is meant to distinguish them from computer enthusiasts who probe or deconstruct systems out of intellectual curiosity.

"If your blog is running 2.1.1, please upgrade immediately and do a full overwrite of your old files," Mullenweg wrote in his blog post titled, "WordPress 2.1.1 dangerous, upgrade to 2.1.2."

He said it appeared the altered version of the software appears to be the only thing that was affected by the attack and that further investigation was underway.

The flaw was discovered Friday by Ivan Fratric, a security researcher at the University of Zagreb in Zagreb, Croatia, who alerted WordPress before posting his findings to his blog Saturday.

now