Attackers have injected exploit code into the downloadable software for the WordPress blogging service.
The open source software allows users to set up and publish postings to a blog. The company has issued an update that repairs the vulnerability.
Hackers broke into the WordPress download server early last week and embedded attack code into the 2.1.1 update of the application.
The malware opened a backdoor on infected systems that could allow an attacker to execute code and install software.
WordPress founding developer Matthew Mullenweg said on a company blog that the infected software was offered to users for three to four days as an official download before the company was alerted to the breach.
"This is the kind of thing you pray never happens," said Mullenweg. "But it did and we are dealing with it as best we can."
Security vendor Symantec said that it had uncovered fewer than 50 attacks exploiting the backdoor. The firm rated the threat as 'low-level' because of its limited reach and easy removal.
WordPress is recommending all users to upgrade to version 2.1.2 of the software, and has urged administrators hosting WordPress blogs to prevent access to the 'theme.php' and 'feed.php' files that are infected by the attack.
Newbies will be thrown in with the big boys on Sanhok as Kar98 fodder
Data is the perfect intersection of logic and emotion
Support for RTX Technology and new version of GPU Boost algorithm coming in next-gen Nvidia GPUs
Is Sony's Xperia XZ2 Compact a big step forward against last year's XZ1 Compact?