14 DAY TRIAL // Version 3.0.2 of popular blogging platform WordPress was released as a mandatory security update, which contains fixes for several flaws, including one that carries a moderate risk.
The release notes credit a Russian freelaance Web programmer named Vladimir Kolesnikov for discovering and responsibly reporting the serious vulnerability.
There are not many details about the flaw, except from being described as an “issue that could allow a malicious Author-level user to gain further access to the site.”
According to David Dede, a researcher with Web integrity monitoring provider Sucuri, the vulnerability was patched in a matter of hours after being disclosed.
The 3.0.2 version also addresses two cross-site scripting (XSS) weaknesses in the request_filesystem_credentials() function and the plugin deleting process. These security issues are considered to only carry a minor risk.
The update is a maintenance release and therefore also contains non-security-related bug fixes and enhancements.
A complete list of changes reads:
- Fix moderate security issue where a malicious Author-level user could gain further access to the site. - Minor XSS fixes in request_filesystem_credentials() and when deleting a plugin. - Remove pingback/trackback blogroll whitelisting feature as it can easily be abused. - Fix canonical redirection for permalinks containing �tegory% with nested categories and paging. - Fix occasional irrelevant error messages on plugin activation. - Clarify the license in the readme - Multisite: Fix the delete_user meta capability - Multisite: Force current_user_can_for_blog() to run map_meta_cap() even for super admins - Multisite: Fix ms-files.php content type headers when requesting a URL with a query string - Multisite: Fix the usage of the SUBDOMAIN_INSTALL constant for upgraded WordPress MU installs
Users are advised to upgrade to the new version immediately by going to the Dashboard > Updates menu, especially since the process is now a lot easier and straight-forward than it used to be.
Blogs running outdated WordPress versions are a constant target in mass injection attacks which exploit known vulnerabilities to infect their pages with rogue code.
WordPress 3.0.2 can be downloaded from here.