Yesterday WordPress was updated to version 3.0.2 to address a specific security issue that could allow someone with Author-level rights to gain increased access to a site.  It also contains fixes for several other bugs and other security enhancements.

This update is considered a mandatory security update for any previous version of WordPress.

Here is a summary of the fixes:

  • Fix moderate security issue where a malicious Author-level user could gain further access to the site. (r16625)

Other bugs and security hardening:

  • Remove pingback/trackback blogroll whitelisting feature as it can easily be abused. (#13887)
  • Fix canonical redirection for permalinks containing %category% with nested categories and paging. (#13471)
  • Fix occasional irrelevant error messages on plugin activation. (#15062)
  • Minor XSS fixes in request_filesystem_credentials() and when deleting a plugin. (r16367, r16373)
  • Clarify the license in the readme (r15534)
  • Multisite: Fix the delete_user meta capability (r15562)
  • Multisite: Force current_user_can_for_blog() to run map_meta_cap() even for super admins (#15122)
  • Multisite: Fix ms-files.php content type headers when requesting a URL with a query string (#14450)
  • Multisite: Fix the usage of the SUBDOMAIN_INSTALL constant for upgraded WordPress MU installs (#14536)

If your not already running at least version 3.0 then you are way behind the eight ball as it relates to the security of your WordPress installation.  This update would be a perfect time to go ahead and make the transition to version 3.0 so that you have the latest updates.  To have a website out there running anything less than this update is just asking for trouble and puts your data at risk.