WordPress 2.2 users beware

A zero-day exploit was posted to PacketStorm a few days ago for WordPress 2.2. The vulnerability allows SQL code injection due to unchecked inputs in the xmlrpc.php file. A patched version of this file has been posted to TRAC, but no official update has yet been released. If you’re running a WordPress 2.2 powered blog, I’d highly suggest applying this fix immediately. It might not be a bad idea to take a look through your database as well. There was a discussion of this exploit and the related fix on the WordPress support site, but I’m surprised that 5 days later there has still been no official mention of this on the WordPress dashboard.

update: A release candidate of 2.2.1 has been posted which fixes the xmlrpc bug as well as a few others. Hopefully we’ll see an official release of 2.2.1 soon…