Around 9am (CST) this morning we were alerted via the wp-hackers mailing list that there is an exploit out that affects the latest version of WordPress, v 2.8.4.
If you want to read more about all the technical stuff you can find the original blog post detailing the exploit here.
I wouldn’t say this is critical since your data is not at risk but anytime someone can put heat on your server it is not good.
No word yet if a patch is going to be released in the form of WordPress 2.8.5. There are a few fixes out already however.
There is a chunk of code you can paste into your theme’s functions.php file.
function ft_stop_trackback_dos_attacks(){
global $pagenow;
if ( 'wp-trackback.php' == $pagenow ){
// DoS attack fix.
if ( isset($_POST['charset']) ){
$charset = $_POST['charset'];
if ( strlen($charset) > 50 ) { die; }
}
}
}
add_action('init','ft_stop_trackback_dos_attacks');
There is also already a fix on trac.
