WordPress has fixed a cross-site scripting (XSS) flaw in its blogging software.

Version 2.6.5 also addresses three unrelated performance and stability bugs with the open source package. The XSS fixed by the latest version of the software is limited to particular setups involving IP-based virtual servers running on Apache 2.x.

WordPress has jumped from version 2.6.3 to 2.6.5 of the software in order to avoid confusion with 2.6.4, a fake version recently offered up by black hats via a bogus site. Sysadmins were directed to download the backdoor-rigged code earlier this month by hackers exploiting vulnerabilities in the blogging package. ®

Related stories

• American Express bitten by XSS bugs (again) (20 December 2008)
• Updated American Express web bug exposes card holders (16 December 2008)
• Microsoft gives Windows Live launch a Web 2.0 scrub-up (13 November 2008)
• Fake site punts Trojanised WordPress (6 November 2008)
• That password-protected site of yours - it ain't (22 August 2008)
• Hackers plant backdoor in blogging software (5 March 2007)
• Linux worm targets PHP flaw (7 November 2005)