September 10, 2009, 7:07 AM — A malicious worm is winding its way through older versions of WordPress, infecting posts with spam and malware that gets downloaded when readers visit them.
According to the WordPress Blog, this worm does not affect the current version of the blog publishing software, which is 2.8.4, but the company is strongly recommending that users running older versions upgrade immediately.
The worm registers a user and leverages a security flaw in older versions to execute code through the permalink structure. It them makes itself an administrator and uses JavaScript to hide itself when blog readers visit a page. Meanwhile it has inserted spam and malware into older posts.
The worm fails to properly clean up after itself once it has infected a page, according to WordPress, and users may notice that their links are broken – a telltale sign that the worm has visited.
WordPress points out that upgrading to the latest version of its software may entail some work, but not as much work as cleaning up a hacked blog post.
Do you tweet? Follow me on Twitter here.
