14 DAY TRIAL // The WordPress development team has released version 3.1.2 of the popular blogging platform in order to address a privilege escalation issue affecting post publishing.
According to the release announcement, the flaw allowed Contributor-level users to improperly publish posts.
The security hole was located in press-this.php and was resolved by beginning to validate the post status against the user's capabilities.
WordPress developer and security team member Andrew Nacin together with a user named Benjamin Balter are credited with identifying the flaw.
"We suggest you update to 3.1.2 promptly, especially if you allow users to register as contributors or if you have untrusted users," the WordPress development team advises.
The release also addresses several bugs that didn't make it into WordPress 3.1.1 released less than a month ago, on April 6.
These include fixing the user query ordering by post count for cases when the database table prefix is not the standard wp_, fixing tag queries which were broken in 3.1.1, preventing over-escaping of post titles when using Quick Edit for pages and ensuring Walker_PageDropdown filters titles correctly.
WordPress is the most popular content publishing platform, which makes it an attractive target for cyber criminals. There have been many attacks exploiting WordPress vulnerabilities in the past, so keeping installations up to date is critical.
This can be done from the Dashboard > Updates menu and since this is only a minor upgrade, it shouldn't cause any problems. WordPress 3.1.2 can also be downloaded from here and installed manually.
Earlier this month, Automattic, the company operating the WordPress.com blogging service and sponsoring the open source project, suffered a security breach which resulted in several of its severs being rooted by hackers.
No critical information was compromised, but the incident stands as a warning that not even companies with a lot of experience in designing web applications are invulnerable to hacking.