If you’re using WordPress, make sure and update to the latest version (3.0.2) as soon as possible. Especially if you have multiple authors with access to your blog/site.
Details about the security issue fixed:
This maintenance release fixes a moderate security issue that could allow a malicious Author-level user to gain further access to the site, addresses a handful of bugs, and provides some additional security enhancements. Big thanks to Vladimir Kolesnikov for detailed and responsible disclosure of the security issue!
The changes between 3.0.1 and 3.0.2 are pretty small and only these files were modified:
wp-admin/includes/file.php
wp-admin/includes/plugin.php
wp-admin/includes/update-core.php
wp-admin/plugins.phpwp-includes/canonical.php
wp-includes/capabilities.php
wp-includes/comment.php
wp-includes/functions.php
wp-includes/load.php
wp-includes/ms-files.php
wp-includes/version.php
By looking at the source code diff, we can see that they fixed some small XSS (cross-site scripting) vulnerabilities as well. So a good update for everyone to apply. To the credit of the WordPress team, they had this patched within a few hours of disclosure.
If you can’t use the automatic update, make sure to overwrite these files. While on the topic of WordPress, check our post on securing WordPress as well.
Visit sucuri.net if you need your web site monitored for security issues, malware, spam, etc. If you currently blacklisted or with malware, we fix it too.
2 comments
Comments are closed.