Update: WP developers are looking into this now . . .
The current version of WordPress (also 2.1-2.3.1 verified so far) is apparently vulnerable to an HTML-tainting attack. I first noticed it on this blog in the next-to-top post. I've actually been on a vacation of sorts, but I monitor changes to my web site carefully. WordPress.org has been notified, but I feel that releasing only the existence of the potential vulnerability is ethical. I have also created a a tool to audit for this attack (see "How Do You Know If You're Affected?" below). Others' equity is at stake here as well!
Though I don't know the exact mechanism yet, I have some ideas based on my logs, and I have a high degree of confidence it's WordPress-specific hack (or perhaps a very popular plug-in) for the following reasons:
0. The links are clearly pathological and deliberately concealed visually using CSS.
1. All exploited sites are running WordPress.
2. The sites are on various shared-hosting and dedicated-hosting in various places around the internet (it's not a particular hosting company).
3. The HTML-tainting appears in the actual database record (at least in my case) for the post; and that's not generally the easiest approach for this sort of attack.
Example HTML Insertion Attack:
<div id="mnu1" style="overflow: auto; position: absolute; z-index: 1; left: -500px; text-indent: -500px; width: 600px; text-align:left">
Where <a href="http://www.adshelper.com/">download mp3 music</a>? It's obvious.<br /> Fast downloads and super high quality... <br />Try to guess, what's the best site to <a href="http://www.my-movie-download.com/">download movies</a>? Yes, that's right.<br /> I recently downloaded few films with super high quality.
</div>
The outbound links appear to point to the following domains:
ADSHELPER.COM (WHOIS RECORD NOT PRIVATE)
SOFTICANA.COM (WHOIS RECORD PRIVATE; GODADDY; TO INFORM GODADDY OF SPAM USE THIS LINK)
How Do You Know If You're Affected?
I'm writing a quick-and-dirty WordPress plugin to scan your blog for the signature of the HTML-tainting. Install it. It will email you with the affected post IDs if you've been hit (Note: IT SHOULD WORK NOW ...).
What Can We Learn From this?
The Domain and URL have an equity, and black hatters are always looking for a way to exploit that. One must be vigilant to protect this equity by monitoring for attacks like this, as it can be particularly harmful to your rankings as well. HTML insertion attacks in general are also documented in my book:

Search Engine Optimization with PHP
I have a high degree of confidence that this individual is involved: this guy. He has been on DigitalPoint forums. More information about him is located here.
Affected WordPress Versions
2.1-2.3.1
Prominent Affected Sites
http://warpspire.com/hemingway : WordPress 2.3-alpha
http://www.cartoonbrew.com/ : WordPress 2.1
http://www.powazek.com/ : WordPress 2.2
http://www.freekareem.org/ : WordPress 2.2.1
http://www.smallbiztrends.com/ : WordPress 2.2.1
http://blog.modernmechanix.com/ : WordPress 2.1.2
http://www.bittbox.com/ : WordPress 2.2.1
http://www.ethanzuckerman.com/blog/ : WordPress 2.2.1
http://www.tjcenter.org/ : WordPress 2.1.2
http://www.cato-at-liberty.org/ : Signature Removed
http://www.smstextnews.com/ : WordPress 2.1.3
http://blog.ianbicking.org/ : WordPress 2.2.1
http://www.searchviews.com/ : WordPress 2.2
http://www.dreammanifesto.com/ : WordPress 2.3.1
via http://siteexplorer.search.yahoo.com/advsearch?p=http%3A%2F%2Fsofticana.com&bwm=i&bwmf=a&bwms=p
http://www.zeldman.com/ : Signature Removed
http://www.mysqlperformanceblog.com/ : WordPress 2.3.1
http://blog.oup.com/ : WordPress 2.2
http://weblog.philringnalda.com/ : WordPress 2.3.1
http://blog.everythingflex.com/ : WordPress 2.1.3
http://www.darfur-awareness.org/ : WordPress 2.2











October 31st, 2007 at 12:53 pm
[...] Sirovich over at SEO Egg Head today reported that on returning from holiday he found that his blog had been hit by what he calls [...]
October 31st, 2007 at 1:33 pm
[...] you are running Wordpress, then you will want to check out this post at SEO Egghead about a new Wordpress vulnerability. Some clever folks have figured out a way to inject some links fo free. [...]
October 31st, 2007 at 6:05 pm
De we need the plugin? Can't we just use the WP search tool under manage and search for "adshelper" and then repeat for "softicana"? (I can find works in links I entered in posts using the search tool.)
November 1st, 2007 at 10:57 am
[...] Seo Egghead has evidently discovered a WP 2.3.1 vulnerability HTML-tainting attacks. (The vulnerability evidently exists in W.P 2.1). The apparent application is to inject ads into bloggers older posts; these would tend to look like paid links. The problems for you would be a potential drop in page rank. [...]
November 2nd, 2007 at 10:46 am
Jamie, do you not have any details from your logs that you post up? May help us get to the bottom of it.
November 2nd, 2007 at 10:52 am
So... it's been a couple days, what's the news?
November 2nd, 2007 at 10:55 am
[...] Sirovich of SEO Egghead has reported that his blog was attacked by spam is claiming that it is due to an an HTML insertion [...]
November 4th, 2007 at 1:06 am
Nothing so far. I have a response from WP, and they're looking into it.
November 5th, 2007 at 12:20 am
I'm guessing you'll post again once you get a reponse? Thanks for the tip on this.
November 7th, 2007 at 8:35 am
[...] was looking at a SEO blog I read and I found this article SEO Egghead by Jaimie Sirovich » Latest WordPress 2.3.1 Apparently Vulnerable To Hackers. Looks like in the current version of Wordpress people can upload HTML and hijack your blog and [...]
November 13th, 2007 at 7:17 pm
[...] was looking at a SEO blog I read and I found this article SEO Egghead by Jaimie Sirovich » Latest WordPress 2.3.1 Apparently Vulnerable To Hackers. Looks like in the current version of Wordpress people can upload HTML and hijack your blog and [...]
November 28th, 2007 at 12:45 pm
So has wordpress provided a security fix for this yet?
January 7th, 2008 at 3:51 am
[...] fiLi article is brought to you using rss feeds.Here are some of the top articles on search engine optimization.The current version of WordPress (also 2.1-2.3.1 verified so far) is apparently to be vulnerable to an HTML-tainting attack. I first noticed it on this blog in the next-to-top post. I’ve actually been on a vacation of sorts, … [...]
January 8th, 2008 at 10:33 am
Any news on this? My blog got hit today with "post spam" that only appears in RSS. A search of Wordpress support, forums, etc. reveals nothing!
January 23rd, 2008 at 2:19 pm
Thanks for the plugin. It helped a lot.
February 25th, 2008 at 6:01 am
Oh..Glad I read about this post.. Thanks a lot for the news...