Sometime in the last 3-4 days, someone managed to alter the download for WordPress 2.1.1, adding a remotely exploitable security hole. The WordPress team has declared the release “dangerous” and has issued an update, WordPress 2.1.2, taken from the clean source plus a few fixes. If you run WordPress 2.1.1, upgrade ASAP!

Things worth noting:

  • The SVN source that the developers use was not altered.
  • Older versions, such as 2.0, don’t seem to have been affected.
  • If you downloaded 2.1.1 when it was first released, it’s probably okay.
  • 2.1.2 also includes a fix for a cross-site scripting vulnerability discovered a few days ago, so it’s worth updating anyway.

I still had the tar archive of 2.1.1 from when I grabbed it the day of the release, so I compared its contents to the 2.1.2 archive. The two files mentioned in the announcement, feed.php and theme.php, aren’t any different, confirming that the initial release was unaffected. That’s also where I saw the changes for that XSS bug.

*sigh* It’s always something…