Earlier today the WordPress team released WordPress 3.0.4 which contained a critical fix for an XSS vulnerability. Sadly, the release made the problematic code public to everyone and there are reports that WordPress sites who have not yet upgraded are being hacked.
A post on DreamHost, one of the largest web hosting companies says that many sites who have not yet upgraded are being attacked through this XSS vulnerability. Many of their customers aren’t able to access their WordPress Admin dashboard.
Another important thing being noted by DreamHost team is that once your site has been hacked, upgrading to the latest version won’t help since the inserted data sits in a file which is untouched by the upgrade. I am looking into what files are affected and will update this post as soon as I come across it.
Rest aside, this new problem has made me determined to release the WordPress Remote Upgrade and Manager within the next few days, so stay tuned for it.
Upgrading WordPress is easy and usually takes a few seconds. So drop everything else and upgrade your WordPress installation to 3.0.4 ASAP.