WordPress version 2.1.1 may contain malicious software that could allow an unauthenticated, remote attacker to execute arbitrary PHP script code.
Due to a server compromise, the WordPress 2.1.1 version was corrupted to contain malicious code. The code takes the form of a back door that allows an unauthenticated, remote attacker to execute arbitrary PHP code on the affected server. The vulnerability exists in two places. The first location is the wp-includes/feed.php script because of an eval injection in the ix parameter. The second compromised script is the wp-includes/theme.php script because of a passthrough call in the iz parameter. An attacker could use either of these scripts to run arbitrary PHP code on the affected web server. It may also be possible to execute arbitrary system commands by exploiting the vulnerability in the iz parameter of the theme.php script.
Proof-of-concept code is publicly available.
WordPress has released a security statement at the following link: WordPress
WordPress released an updated version at the following link: WordPress 2.1.2 or later
US-CERT has released a vulnerability note at the following link: VU#214480