Serving as a stern reminder of why it's important to keep desktop as well as server software up to date, a new worm
can reportedly infect certain versions of the WordPress blog software. WordPress announced the discovery today, saying that a security bug which has already been fixed is now being exploited in the wild.
The worm is able to attack versions of WordPress prior to 2.8.4 and its immediate predecessor. Version 2.8.4 was released in early August to specifically address this flaw, which results in a password reset of WordPress accounts and allows someone to take control of the admin account. Doing so would give the person access to further information, as well as the ability to wreak havoc on the blog itself.
Though the vulnerability was initially published several weeks ago, this is the first report of malware specifically identifying and trying to exploit it. The WordPress developer is concerned that many servers are still running old versions, which puts them at risk. If you're maintaining a WordPress server that's behind on updates, consider this a heads up.