Security Alert for AddThis WordPress plugin

Late yesterday, the accounts of several popular plugins on were compromised, including the AddThis plugin account. Malicious code was inserted into these plugins, opening a backdoor for potential third party code to execute on your server. The issue affected version 2.1.3 of the AddThis plugin, and you will be affected only if you downloaded that version yesterday or this morning. We have also patched the plugin as of this morning, and version 2.2.0 is fully certified.

WordPress has reset all accounts, and is updating status in this post.

All users of the AddThis WordPress plugin are STRONGLY encouraged to upgrade to the latest version (2.2.0) as quickly as possible, especially if you updated or installed version 2.1.3 of the AddThis WordPress plugin (June 20, 2011) yesterday or (June 21, 2011) today.

In order to upgrade, please visit the upgrades page inside your WordPress instillation. You can also grab the latest version from the WordPress repository

We will continue to work with the WordPress team on this. If we have more information, we will update this post.

The AddThis Team

  • Any word on what to do if I installed version 2.1.3? I’ve already updated to 2.2.0, but what was compromised?

  • Thanks for the warning. I install the awesome AddThis WordPress Plugin on most Websites I setup for customers so will update my customers …

  • Thanks for the notice.
    I just upgraded to 2.2.0.

  • Hi Chris,
    Unless you updated or installed version 2.1.3 on June 20 or June 21, you are not affected by the attack. If you did update or install it during that time, upgrading to 2.2.0 removes the vulnerability.

  • Thanks for posting a note about this, I’m lucky enough to be one of those people who waits to do upgrades :)

  • Thank you for your services and the constant upgrades!!!

  • Hi,thanks for sharing and warning.I have updated and also grabbed the latest version of wordpress repository.

  • That’s great to hear you folks are on top of something like this. It’s nice to know I’ve just installed AddThis plugin 2.2.0 for WordPress safely.
    Question: Where is the Google +1 in this plugin though? Your website says, “Publishers now have the option
    to easily install the +1 button via, our WordPress Plugin…” but unless I’m blind, I can’t see where it’s included in the WordPress Plugin. Please tell me what I’m missing here.

  • @Brent, Go into your plugin settings and make sure you’ve selected AddThis. Click on Additional Style Options. It’s the second option.

  • It is incredible to see how hackers get everywhere to spoil good things … The sad part is that most intelligent people take the wrong path, usually as a way to have fun …
    I call all those hyper-intelligent to guide efforts toward building a better world, a strong presence with major innovations to make this an ideal place to live.
    Thank you all!

  • Thanks for the heads up. I have hackers, they must have better things to do with their time!

    Don’t they realise that it’s just as easy to make money ethically?

  • After examine just a few of the weblog posts on your website now, and I really like your method of blogging.

  • Thanks.. I really love your plugin! Keep the good work