WordPress 3.0.3 released (security update)

Running WordPress? Time to update it again! Version 3.0.3 has been released fixing some security vulnerabilities. If you can’t upgrade, make sure to disable remote publishing by going to the page “Settings → Writing” to see if it is disabled.

Details http://wordpress.org/news/2010/12/wordpress-3-0-3/

This release fixes issues in the remote publishing interface, which under certain circumstances allowed Author- and Contributor-level users to improperly edit, publish, or delete posts.

These issues only affect sites that have remote publishing enabled.

Remote publishing is disabled by default, but you may have enabled it to use a remote publishing client such as one of the WordPress mobile apps. You can check these settings on the “Settings → Writing” screen.


What changed? The only file modified was xmlrpc.php, which was not checking the permissions properly. This is the diff:

diff -r wordpress-3.0.3/xmlrpc.php wordpress-3.0.2/xmlrpc.php
1159c1159
<         if ( !$comment = get_comment( $comment_ID ) )
---
>         if ( ! get_comment($comment_ID) )
1162,1164d1161
<         if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) )
<             return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
< 
1191,1196d1187
<         if ( !$comment = get_comment( $comment_ID ) )
<             return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
< 
<         if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) )
<             return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
< 
1198a1190,1192
>         if ( ! get_comment($comment_ID) )
>             return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
> 
1426c1420
<         if ( !current_user_can( 'edit_pages' ) )
---
>         if ( !current_user_can( 'edit_posts' ) )
1966c1960
<         if ( !current_user_can('delete_post', $post_ID) )
---
>         if ( !current_user_can('edit_post', $post_ID) )
1996c1990
<         $publish     = isset( $args[4] ) ? $args[4] : 0;
---
>         $publish     = $args[4];
2002a1997,1999
>         $cap = ( $publish ) ? 'publish_posts' : 'edit_posts';
>         $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
>         $post_type = 'post';
2006,2009c2003
<                 if ( $publish || 'publish' == $content_struct['page_status'])
<                     $cap  = 'publish_pages';
<                 else
<                     $cap = 'edit_pages';
---
>                 $cap = ( $publish ) ? 'publish_pages' : 'edit_pages';
2015,2020c2009
<                 if ( $publish || 'publish' == $content_struct['post_status'])
<                     $cap  = 'publish_posts';
<                 else
<                     $cap = 'edit_posts';
<                 $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
<                 $post_type = 'post';
---
>                 // This is the default, no changes needed
2025,2031d2013
<         } else {
<             if ( $publish || 'publish' == $content_struct['post_status'])
<                 $cap  = 'publish_posts';
<             else
<                 $cap = 'edit_posts';
<             $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
<             $post_type = 'post';
2296,2299c2278
<                 if ( $publish || 'publish' == $content_struct['page_status'] )
<                     $cap  = 'publish_pages';
<                 else
<                     $cap = 'edit_pages';
---
>                 $cap = ( $publish ) ? 'publish_pages' : 'edit_pages';
2305,2310c2284
<                 if ( $publish || 'publish' == $content_struct['post_status'] )
<                     $cap  = 'publish_posts';
<                 else
<                     $cap = 'edit_posts';
<                 $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
<                 $post_type = 'post';
---
>                 // This is the default, no changes needed
2315,2321d2288
<         } else {
<             if ( $publish || 'publish' == $content_struct['post_status'] )
<                 $cap  = 'publish_posts';
<             else
<                 $cap = 'edit_posts';
<             $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
<             $post_type = 'post';
3137c3104
<         if ( !current_user_can('publish_posts') || !current_user_can('edit_post', $post_ID) )
---
>         if ( !current_user_can('edit_post', $post_ID) )
3375c3342
< ?>
\ No newline at end of file
---
> ?>

Visit sucuri.net if you need your web site monitored for security issues, malware, spam, etc. If you currently blacklisted or with malware, we fix it too.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.