WordPress has fixed a cross-site scripting (XSS) flaw in its blogging software.

Version 2.6.5 also addresses three unrelated performance and stability bugs with the open source package. The XSS fixed by the latest version of the software is limited to particular setups involving IP-based virtual servers running on Apache 2.x.

WordPress has jumped from version 2.6.3 to 2.6.5 of the software in order to avoid confusion with 2.6.4, a fake version recently offered up by black hats via a bogus site. Sysadmins were directed to download the backdoor-rigged code earlier this month by hackers exploiting vulnerabilities in the blogging package. ®

Related stories

• WordPress.com hack exposes confidential code (13 April 2011)
• WordPress swiss cheese vuln situation sorted (2 December 2010)
• Network Solutions mops up after mass WordPress breach (12 April 2010)
• Web service automates WordPress password cracking (30 November 2009)
• Worm wiggles through weary WordPress (7 September 2009)
• WordPress bug resets admin password (12 August 2009)
• XSS flaws poke ridicule at entertainment industry (8 May 2009)
• American Express bitten by XSS bugs (again) (20 December 2008)
• Updated American Express web bug exposes card holders (16 December 2008)
• Microsoft gives Windows Live launch a Web 2.0 scrub-up (13 November 2008)
• Fake site punts Trojanised WordPress (6 November 2008)
• That password-protected site of yours - it ain't (22 August 2008)
• Hackers plant backdoor in blogging software (5 March 2007)
• Linux worm targets PHP flaw (7 November 2005)