Yesterday WordPress was updated to version 3.0.2 to address a specific security issue that could allow someone with Author-level rights to gain increased access to a site. It also contains fixes for several other bugs and other security enhancements.
This update is considered a mandatory security update for any previous version of WordPress.
Here is a summary of the fixes:
- Fix moderate security issue where a malicious Author-level user could gain further access to the site. (r16625)
Other bugs and security hardening:
- Remove pingback/trackback blogroll whitelisting feature as it can easily be abused. (#13887)
- Fix canonical redirection for permalinks containing %category% with nested categories and paging. (#13471)
- Fix occasional irrelevant error messages on plugin activation. (#15062)
- Minor XSS fixes in request_filesystem_credentials() and when deleting a plugin. (r16367, r16373)
- Clarify the license in the readme (r15534)
- Multisite: Fix the delete_user meta capability (r15562)
- Multisite: Force current_user_can_for_blog() to run map_meta_cap() even for super admins (#15122)
- Multisite: Fix ms-files.php content type headers when requesting a URL with a query string (#14450)
- Multisite: Fix the usage of the SUBDOMAIN_INSTALL constant for upgraded WordPress MU installs (#14536)
If your not already running at least version 3.0 then you are way behind the eight ball as it relates to the security of your WordPress installation. This update would be a perfect time to go ahead and make the transition to version 3.0 so that you have the latest updates. To have a website out there running anything less than this update is just asking for trouble and puts your data at risk.
