Bloggers and site owners using the WordPress content management system are being advised to upgrade to the latest version of the software after a worm was found to be affecting downloaded versions of the system.
According to a statement from WordPress, a worm is currently exploiting a security hole in the software in an attempt to distribute spam and links to numerous forms of malware, including fake antivirus software.
A statement posted by WordPress on the company blog read: “This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.
“The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage.”
Users who are using downloaded versions of the open source CMS to run their self-hosted site or blog have been advised to upgrade to WordPress 2.8.4, a version which includes a patch that closes this security flaw. Bloggers that are using the online version of WordPress at www.wordpress.com are unaffected by the threat, although experts would advise users to back-up their posts if possible.
WordPress has also taken the opportunity to reminded users that an upgrade could save considerable time in having to repair a blog in the event of a security breach, writing “A stitch in time saves nine. I couldn’t sew my way out of a bag, but it’s true advice for bloggers as well – a little bit of work on an upgrade now saves a lot of work fixing something later.”
