WordPress 2.3.3 is not safe anymore – upgrade NOW! (link injection vulnerability)

A few days ago I was recommending to people not to upgrade to version 2.5 of WordPress, because at the time I believed WP 2.3.3 to be as stable and safe as the new 2.5 series. Besides, I liked (and still like) the old, ‘classic’, 2.3.x admin interface much more…

OK, I must take my words back and confirm that WordPress 2.3.3, the last stable release before the new WordPress 2.5 branch was released, is not safe anymore, and you can become a victim of the link injection hack (vulnerability).

What happened?

In one of the blogs, which I support (luckily, not my personal blog, which I have upgraded to 2.5/2.5.1 long ago), I have found ‘hidden’ links (code: <u style="display: none">[ bunch of spam links inserted here ]</u>) in one of the regular posts there.

I checked the whole blog after that, all of the archives, and the hidden links were found only in two blog posts — but this doesn’t mean that at a later point, the hacker won’t try to insert some 50 or even 500 more of these…

Now I am performing an upgrade to WP 2.5.1, the latest stable available for download.

After that, I’ll ask all of the authors in this blog to change their passwords, and after that, we’ll see…

Actually, I am sure that after that we’ll have to upgrade to 2.5.2, then to 2.6, etc., etc., but I guess, there’s nothing else to be done.

Last, but not least, I recommend to all WordPress users to upgrade carefully, and often. The danger of discovering one day, that your blog became a victim of some stupid spammer, trying to ‘sell’ his black hat SEO links, using your hacked WP, is quite real, and the only measure against this is: upgrade! :-)

//Sideline: I still do not like the new WP 2.5 admin interface (and not only I;-), and I just hope, that in 2.6 things will look better (and more usable) — or at least, the Write section will be improved…

3 comments |



Comments to “WordPress 2.3.3 is not safe anymore – upgrade NOW! (link injection vulnerability)”:

  1. AndrewBoyd Says:
    1

    Thanks for the backlink and for the heads-up about the link injection vulnerability :)

    Best regards, Andrew Boyd

  2. Michel Says:
    2

    Hi, Andrew,

    Yep, I liked interface of 2.3.3 much more than 2.5/2.5.1, but looks like only the last version of WP is safe, for now…

  3. On Blogging Australia » Blogging tips Current Feature » WordPress 2.3 is falling to bits Says:
    3

    […] Optimiced touched on this issue a short while ago: OK, I must take my words back and confirm that WordPress 2.3.3, the last stable release before the new WordPress 2.5 branch was released, is not safe anymore, and you can become a victim of the link injection hack (vulnerability). […]

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
Your e-mаil address will never be showed.


[ optimiced.com is the virtual home of Web & graphic designer Michel Bozgounov | powered by WP & hosted by DreamHost | also available in български ]

1.511 / 31 / 22.75