A vulnerability in the popular blogging software WordPress now actively exploited by a worm. It emerges from a warning in this blog post. Those who use the software on their own server, please immediately install the latest version. The vulnerability that the worm exploits, should have been removed earlier this year and are therefore not in the current version of WordPress, 2.8.4.
Worm is confirmed by the WordPress founder Matt Mullenweg in this blog post.
In short, the worm creates a new administrator account in WordPress, and uses JavaScript to hide this in the user dashboard. This used to put in spam and malicious software in the users' older posts.
This page describes how WordPress can be updated. It is also possible to ask the Wordpress to update itself fully automatically, but this solution is not always completely smooth.
