A security threat has been found in the automatic update feature of WordPress with net-security.org alleging that over 1’000+ WordPress powered websites have been affected thus far due to the vulnerability. Affected sites are said to redirect the visitor to affiliate, malware, pay-per-click re-directors, and low quality PPC search result aggregators.
The security vulnerability was discovered by Denis Sinegubko, the founder of the helpful Unmask Parasites website.
Sometimes I see how webmasters misinterpret the importance of upgrades for WordPress security. They expect that if they upgrade a hacked blog, it will immediately become clean and secure. Unfortunately it doesn’t work this way. Upgrades can only clean core WordPress files, leaving backdoors, infected themes, plugins and database records intact. That’s why it is important to clean up your site before the upgrade.
Moreover, a few days ago I came across a new massive infection (more than 1,000 currently known infected blogs) that hijacks the “Automatic Update” feature and makes it the event that triggers blog re-infection.
This attack began just before the WordPress 3.3.2 release, and many blogs now actively use the “Automatic Update” option to upgrade their blogs to this new version. For some of them, the upgrades come with a malicious extra.
Read more about this Denis’s findings relating to this security threat on unmaskedparasites.com