Warning: You must Upgrade Your WP Blog Now

[hmigroupllc]

I don't usually send out any threads like this, but Wordpress released an upgrade today that is specifically to stop a malicious iframe file from being injected into your server via WP.

It has happened to two of my marketing blogs the past two days.

I highly encourage you to do the upgrade immediately, or your blog web pages could disappear.

What happens is a "fake" index file is placed on your server with an iframe to a blank script.

This same code is also injected into other files.

You really need to do this upgrade.

Thanks

Wayne Sharer

[tommen]

Thanks for the heads up! I use 2.8.4 at the moment.I usually wait a month before upgrading because some of the plugins I use will necessarily not work after the upgrade.

[Michael Oksa]

Thank you, Wayne.

I know it takes a while for some of my plug-ins to catch up to new versions of WP. But I would rather be without a plug-in or two for a little while than to have my site wiped out. That's my take on it anyway.

All the best,
Michael

[Istvan Horvath]

To be honest, the 2.8.6 was released yesterday and the two issues addressed by this newest version have nothing to do with injection:

Quote:

2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges. If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.
The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations.

Source: WordPress › Blog WordPress 2.8.6 Security Release

[jazbo]

Wordpress, dont ya love it.

[redicelander]

That sucks. What number upgrade is this? You talking about 2.8.5?

[hmigroupllc]

Well, this isn't about twisting and turning meanings and words. My host says that the Wordpress Fix issued today will stop the injections.

Whether or not it is specifically to do with the specific insecurity really doesn't matter.

I would do the upgrade, and argue semantics later.

Have a great day.

Wayne Sharer

No thanks I will stay with my secured 2.6.5 version .. This is the problem, every time a update is released people go running to install it instead of waiting.

This is why you should secure your own blog and stop doing all those freaking updates just for those cool new features. Personally I find 2.8 with many issues and have found it even less user friendly than what wordpress was before.

James

[Istvan Horvath]

Quote:

Originally Posted by hmigroupllc

Well, this isn't about twisting and turning meanings and words.

Quote:

Originally Posted by hmigroupllc

[...] argue semantics later.

What can I do... I am linguist as my basic profession. I do care about the words and meaning .