WordPress has fixed a cross-site scripting (XSS) flaw in its blogging software.
Version 2.6.5 also addresses three unrelated performance and stability bugs with the open source package. The XSS fixed by the latest version of the software is limited to particular setups involving IP-based virtual servers running on Apache 2.x.
In those setups it might be possible for hackers to rig systems so that they serve up malicious Java Script from domains under their control, as explained in an advisory by WordPress here.
WordPress has jumped from version 2.6.3 to 2.6.5 of the software in order to avoid confusion with 2.6.4, a fake version recently offered up by black hats via a bogus site. Sysadmins were directed to download the backdoor-rigged code earlier this month by hackers exploiting vulnerabilities in the blogging package.