← Supply-Chain Attack Compendium

wordpress

Incident Summary

WordPress official download backdoored enabling remote execution (2.1.1)

Shortly after its release, the official WordPress 2.1.1 download package (`.zip`) hosted on wordpress.org was compromised by attackers who gained access to a web server. Obfuscated malicious PHP code was injected into core files (`wp-includes/vars.php` and possibly `wp-includes/theme.php`), creating a backdoor. This backdoor allowed remote attackers to pass arbitrary PHP code via specific request parameters (like `ix` or `iz`) for execution on the server, effectively granting them control over sites that installed the compromised package. The WordPress team detected the compromise quickly, removed the malicious package, and released version 2.1.2 with fixes and additional security hardening.

Date
2007-02-21 to 2007-02-22
Category
Open Source
Target Surface
Distribution
Insertion Phase
distribution
Impact
Backdoor
Cause
Compromised Infrastructure

What Was Affected

Package wordpress
LanguagePHP
ComponentDaemon
Artifact typesource archive
Domain typeproject download host
Domain wordpress.org

Compromised Versions

Incident Context

Motive
Unauthorized Access/Control
Attribution
Individual Hacker
Observed Duration
1 days

Evidence

Compromised Artifacts

Current Artifacts and Analysis

Indicators and Changes

Hashes

  • md5:9b2e021b99f71846a99db1f3975e108d
  • sha1:43e08637c4b60b9208ee160483f4e9241241bc5e

External References

Source Data

Source record: oss/wordpress/meta.yaml