14 DAY TRIAL // WordPress 3.0.4 has been released as a critical security update for the popular blogging platform to address several cross-site scripting issues.
WordPress developers recommend deploying the update as soon as possible, because the weaknesses are located in a core component.
"I would rate this release as 'critical'," Matt Mullenweg, the WordPress founder and lead developer writes.
"I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for. In the spirit of the holidays, consider helping your friends as well," he adds.
Mauro Gentile and Jon Cave (duck_) are credited with discovering the XSS vulnerabilities, which are located in the KSES HTML sanitization library.
The fixes are described as: don't be case sensitive to attribute names, handle padded entities when checking for bad protocols, and normalize entities before checking for bad protocols in esc_url().
The update modifies wp-includes/version.php, wp-includes/formatting.php, wp-includes/kses.php, readme.html and wp-admin/includes/update-core.php, however, the actual patches happen in kses.php.
Mullenweg also asks for the help of security researchers willing to to review the fixes and provide their input. "We’ve given it a lot of thought and review but since this is so core we want as many brains on it as possible," he notes.
Webmasters can upgrade to WordPress 3.0.4 from the Dashboard > Updates menu. The process is pretty straight-forward and shouldn't normally generate any problems.
This is the third security update for WordPress during the course of a month. Version 3.0.2, which landed on November 30, fixed a privilege escalation flaw and several XSS weaknesses, while 3.0.3, released on December 9, addressed an EoP vulnerability in the XMP0RPC remote publishing interface.
WordPress 3.0.4 can be downloaded from here.