Hi. Sorry for waking up an old thread. I’ve just found that that a pre-historic version of wordpress I had online had been compromised too.
The issue I am seeing is that WordPress 2.7 and even the svn trunk still have the XSS vulnerability that makes the bogus ‘WordPress’ user disappear from the user list. Maybe it doesn’t let users with <script> tags on their names to be created anymore, but the bogus users on the database that were created before the upgrade are still there, but they don’t appear on the user list.
Where should a security issue like this be reported?
