WordPress server hacked. Downloads have serious flaw.

[Larwee]

All WordPress users who downloaded and installed version 2.1.1 are being told they should upgrade to version 2.1.2. Earlier versions of Wordpress are not affected.

User-level access was gained to one of the wordpress.org servers and the download file was modified.

The compromised code was distributed through the wordpress.org site.

The WordPress developer is saying:

If your blog is running 2.1.1, please upgrade immediately and do a full overwrite of your old files, especially those in wp-includes. ... If you are a web host or network administrator, block access to 'theme.php' and 'feed.php', and any query string with 'ix=' or 'iz=' in it.

Here is a link to the complete details on this very important issue http://wordpress.org/development/2007/03/upgrade-212/

 

[Teli]

I will add that even if you're using the unaffected version 2.1.1, it's still a good idea to update as it incorporates an unrelated security fix. If you're still in the 2.0.x branch, it's recommended that you upgrade to version 2.0.9 which has the security fixes rolled into the 2.1.x branch.

~ Teli