News service Reuters appears to still be running the same outdated version of WordPress that allowed its blogging platform to be compromised by attackers last week.
Attackers published fake blog posts on Friday, including a purported interview with the leader of the Free Syrian Army.
Mark Jaquith, one of the lead developers behind WordPress, told The Wall Street Journal that Reuters had been running version 3.1.1 instead of the latest version, 3.4.1. There are at least 20 reported vulnerabilities in version 3.1.1.
While blogs.reuters.com was taken offline shortly after the attack, the site is again operational. According to Jaquith, it may still be running a vulnerable version, despite WordPress developers implementing update notifications and a self-updating feature to help users stay in line with the latest security patches.
Attackers originally broke into the blog platform and published fake news stories on Friday including an alleged interview with Riad Al-Assad claiming the Free Syria Army was withdrawing from Aleppo. A follow-up attack came on Sunday, when attackers took control of the @ReutersTECH Twitter account and posted 22 different messages, such as reports of a rebel exodus from Aleppo and claims that the United States was providing financial and technical support to Al-Qaeda operatives in Syria.