WordPress download enabled remote execution

WordPress 2.1.1 was released as a normal maintenance build on February 21, 2007. Days later, a report to the WordPress security address pointed to strange, highly exploitable code in the official download. The project took the site down and investigated the package.

The attacker had user-level access to a server behind wordpress.org and modified the release file. WordPress said two files were changed to allow remote PHP execution. The Subversion repository was not touched; the damage was in the generated archive that users trusted.

The project declared all 2.1.1 downloads from the affected window dangerous, even though not every download was necessarily altered. WordPress 2.1.2 followed with verified files, and users were told to overwrite the full tree, especially wp-includes.

The lesson was plain: the release archive is production code. If the download path is writable, signed source control history is not enough. WordPress responded with server lockdown, password resets, and external checks of release packages.

Motive

Unauthorized Access Control

Attribution

Person

Cause

Compromised Infrastructure

Transitive

No

Actor

Individual Hacker

• WordPress 2.1.1 dangerous, Upgrade to 2.1.2wordpress.org
• WordPress Fixes Security Issues in Core Enginethreatpost.com
• WordPress 2.1.1 infected with backdoor codethetechherald.com