With this week’s release of WP 2.6.5, you might be wondering where 2.6.4 went.

It didn’t – in fact, there will NEVER be a WordPress 2.6.4 – because there already was one!

Confusing I know, but the catch is that another site tried to release a WP 2.6.4 with some malware in it – and the result was that the official WP release number was bumped up to avoid any confusion.

The fake 2.6.4 included some nasty code in the /wp-includes/pluggable.php file which tried to send cookie data to another site (which tried hard to look like wordpress.org, even naming itself wordpresZ.org).

With these cookies, it may have been possible to hack into others’ blogs – and have complete control of the site.

So if you see WP 2.6.4, avoid it like any other malware out there.