I’ve been getting a lot of questions about this post by Benjamin Flesch, so here’s a quick FAQ.
Are those vulnerabilities valid?
Partially. Of the seven issues raised, one of them could be used to compromise your WordPress 2.2.1 blog under the right circumstances. One of them is already fixed in 2.2.1. The other five issues aren’t vulnerabilities in themselves, as they depend on there being an earlier breach. Even the most severe of the issues isn’t catastrophic, as is requires your unwitting cooperation in order to execute.
Have the vulnerabilities been fixed?
The major vulnerability and the five minor vulnerabilities have been patched in WordPress SVN. The remaining vulnerability is an old vulnerability that doesn’t apply to version 2.2.1.
When will updated versions be released?
Soon. Within the next few days.
What’s this about a “worm”?
Benjamin Flesch created a tool that will use the major vulnerability to take control of your blog and attempt to patch the security vulnerabilities.
Should I run the “worm”?
I wouldn’t. His patches are different from our patches and may have unintended side effects.