A new worm capable of posting malware and spam as well as altering or deleting posts on WordPress blogs has the company imploring users to update immediately to the latest version of its popular open source blogging software.
The attack serves as just the latest example of how hackers are targeting social networking and user-generated content sites as unwitting hosts for their malicious spamming and malware endeavors.
Matt Mullenweg, the founding developer of WordPress, said the vulnerability allowing the attack was first unearthed Aug. 11 and was resolved in the two latest versions of the blogging software released in the past month.
"Upgrading is a known quantity of work, and one that the WordPress community has tried its damnedest to make as easy as possible with one-click upgrades," he wrote in a blog posting. "Fixing a hacked blog, on the other hand, is quite hard. Upgrading is taking your vitamins; fixing a hack is open-heart surgery."
Users of the company's hosted WordPress.com service are automatically updated to the latest version of the software and shouldn't be vulnerable.
WordPress officials have yet to say just how many users' blogs have been compromised by the worm. Founded in 2003, WordPress.org claims that more than 3.8 million users downloaded the blogging software in 2007, the most recent data provided on the company's site.
Mullenweg said the worm infects a site by registering a user, and then uses a security bug exiting in earlier editions of the software to execute code through the blog's permalink structure.
Article courtesy of InternetNews.com.