WordPress 3.0.5 Security Update Released
WordPress has just released an update to the popular blogging platform. WordPress should already have received a notice in the admin dashboard of their WordPress blog.
According to the developers, WordPress 3.0.5 is a “security hardening update for all previous WordPress versions” that fixes two moderate security issues and one information disclosure issue, and adds two security enhancements to the blogging application. This security release is required if you have any untrusted user accounts, but it also comes with important security enhancements and hardening. All WordPress users are strongly encouraged to update. In the same announcement, WordPress developers have said that WordPress 3.1 is coming soon along with the release of WordPress 3.1 RC4. (via)
The release addresses a number of issues and provides two additional enhancements:
Two moderate security issues were fixed that could have allowed a Contributor- or Author-level user to gain further access to the site.
One information disclosure issue was addressed that could have allowed an Author-level user to view contents of posts they should not be able to see, such as draft or private posts.
Two security enhancements were added. One improved the security of any plugins which were not properly leveraging our security API. The other offers additional defense in depth against a vulnerability that was fixed in previous release.
The summary of fixes posted here, lists the following changes:
- Fix XSS bug: Properly encode title used in Quick/Bulk Edit, and offer additional sanitization to various fields. Affects users of the Author or Contributor role.
- Fix XSS bug: Preserve tag escaping in the tags meta box. Affects users of the Author or Contributor role.
- Fix potential information disclosure of posts through the media uploader. Affects users of the Author role.
- Enhancement: Force HTML filtering on comment text in the admin
- Enhancement: Harden check_admin_referer() when called without arguments, which plugins should avoid.
- Update the license to GPLv2 (or later) and update copyright information for the KSES library.
WordPress 3.0.5 is available for download at the official WordPress site. WordPress users can also install the update manually on their server or use the automatic update feature.