Recently we were alerted to several claims of security flaws in the Akismet 2.5.6 plugin for WordPress.
We tested the claims of vulnerabilities in the current version of the Akismet plugin, and found them to be baseless. There was a minor exploit possible in version 2.5.3, but this had already been fixed in a routine security audit in December 2011. That fix was included in the 2.5.4 release in January 2012, prior to the publication of the advisory.
Several of the claims refer to Akismet 2.5.6 running in WordPress 2.0, an incompatible combination – Akismet 2.5 requires WordPress 3.0 or higher.
There was a minor exploit possible in Akismet 2.4.0, which is the legacy branch maintained only for versions of WordPress 2.9 and earlier. This has been fixed in the 2.4.1 release.
In short, the claims of a vulnerability in 2.5.6 are false. They were published without any attempt to contact Akismet.com or Automattic. Any security alerts about the Akismet plugin should be made here.
Of course it’s always a good idea to keep WordPress and its plugins up to date. If you haven’t done so already, we recommend taking the time to update to WordPress 3.4 and the current version of the Akismet plugin.