14 DAY TRIAL // WordPress 3.0.3 has just been released as a security update to address a vulnerability that makes it possible for low-level users to edit or delete posts without authorization.
The vulnerability is located in the remote publishing interface, which allows users to edit content from desktop or mobile applications without visiting the actual website.
The remote publishing interface uses the XML-RPC protocol and its implementation in WordPress failed to properly check for a user’s permissions.
Because of this, users who had only Author or Contributor access level were able, under some conditions, to perform actions normally restricted to them.
According to the changelog, WordPress 3.0.3 “fixes issues in the XML-RPC remote publishing interface which under certain circumstances allowed Author- and Contributor-level users to improperly edit, publish or delete posts.”
The newly released version involves changes in four files, wp-includes/version.php, wp-admin/includes/update-core.php, readme.html and xmlrpc.php, where the actual patch was made.
It’s worth noting that the remote publishing functionality is disabled by default in WorPress installations, which limits this vulnerability’s impact. If unsure, users can check the feature’s state on the “Settings > Writing” page.
WordPress 3.0.3 is an update for all previous versions of the software and can be installed from the “Dashboard > Updates” screen.
The new version comes after a week ago a different privilege escalation vulnerability was patched along with two cross-site scripting ones in WordPress 3.0.2.
Because that was a maintenance release and addressed stability issues as well, there were no non-security bug fixes left to do in 3.0.3.
WordPress is the most popular content publishing platform, which also makes it an attractive target for cyber criminals. There have been many mass injection attacks exploiting WordPress vulnerabilities in the past, so keeping installations up to date is critical.