WordPress developer community has labeled and classified the entire version 2.1.1 of WordPress release dangerous with serious security threat and unsafe to use in production environment. WordPress users who are using WordPress v2.1.1, especially those who just downloaded it over the last 4 or 5 days, should immediately download the latest version 2.1.2 of WordPress and upgrade their installation by overwriting all old files fully. Apparently, a hacker or cracker had managed to hack into a server hosting WordPress.org, and gained user-level access to modify the download file of WordPress to include security-comprised exploitable code.

According to WordPress blog:

It was determined that a cracker had gained user-level access to one of the servers that powers WordPress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP (theme.php and feed.php) to include code that would allow for remote PHP execution.

If you have any questions on this security hole, you can email [email protected].

Download and install the latest version of WordPress (version 2.1.2) from WordPress download page to patch the security hole. Or download from direct download link for ZIP file.

Update: WordPress 2.2 released for download.