WordPress 3.0.3 released (security update)

Running WordPress? Time to update it again! Version 3.0.3 has been released fixing some security vulnerabilities. If you can’t upgrade, make sure to disable remote publishing by going to the page “Settings → Writing” to see if it is disabled.

Details http://wordpress.org/news/2010/12/wordpress-3-0-3/

This release fixes issues in the remote publishing interface, which under certain circumstances allowed Author- and Contributor-level users to improperly edit, publish, or delete posts.

These issues only affect sites that have remote publishing enabled.

Remote publishing is disabled by default, but you may have enabled it to use a remote publishing client such as one of the WordPress mobile apps. You can check these settings on the “Settings → Writing” screen.


What changed? The only file modified was xmlrpc.php, which was not checking the permissions properly. This is the diff:

diff -r wordpress-3.0.3/xmlrpc.php wordpress-3.0.2/xmlrpc.php
1159c1159
<         if ( !$comment = get_comment( $comment_ID ) )
---
>         if ( ! get_comment($comment_ID) )
1162,1164d1161
<         if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) )
<             return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
< 
1191,1196d1187
<         if ( !$comment = get_comment( $comment_ID ) )
<             return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
< 
<         if ( !current_user_can( 'edit_post', $comment->comment_post_ID ) )
<             return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
< 
1198a1190,1192
>         if ( ! get_comment($comment_ID) )
>             return new IXR_Error( 404, __( 'Invalid comment ID.' ) );
> 
1426c1420
<         if ( !current_user_can( 'edit_pages' ) )
---
>         if ( !current_user_can( 'edit_posts' ) )
1966c1960
<         if ( !current_user_can('delete_post', $post_ID) )
---
>         if ( !current_user_can('edit_post', $post_ID) )
1996c1990
<         $publish     = isset( $args[4] ) ? $args[4] : 0;
---
>         $publish     = $args[4];
2002a1997,1999
>         $cap = ( $publish ) ? 'publish_posts' : 'edit_posts';
>         $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
>         $post_type = 'post';
2006,2009c2003
<                 if ( $publish || 'publish' == $content_struct['page_status'])
<                     $cap  = 'publish_pages';
<                 else
<                     $cap = 'edit_pages';
---
>                 $cap = ( $publish ) ? 'publish_pages' : 'edit_pages';
2015,2020c2009
<                 if ( $publish || 'publish' == $content_struct['post_status'])
<                     $cap  = 'publish_posts';
<                 else
<                     $cap = 'edit_posts';
<                 $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
<                 $post_type = 'post';
---
>                 // This is the default, no changes needed
2025,2031d2013
<         } else {
<             if ( $publish || 'publish' == $content_struct['post_status'])
<                 $cap  = 'publish_posts';
<             else
<                 $cap = 'edit_posts';
<             $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
<             $post_type = 'post';
2296,2299c2278
<                 if ( $publish || 'publish' == $content_struct['page_status'] )
<                     $cap  = 'publish_pages';
<                 else
<                     $cap = 'edit_pages';
---
>                 $cap = ( $publish ) ? 'publish_pages' : 'edit_pages';
2305,2310c2284
<                 if ( $publish || 'publish' == $content_struct['post_status'] )
<                     $cap  = 'publish_posts';
<                 else
<                     $cap = 'edit_posts';
<                 $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
<                 $post_type = 'post';
---
>                 // This is the default, no changes needed
2315,2321d2288
<         } else {
<             if ( $publish || 'publish' == $content_struct['post_status'] )
<                 $cap  = 'publish_posts';
<             else
<                 $cap = 'edit_posts';
<             $error_message = __( 'Sorry, you are not allowed to publish posts on this site.' );
<             $post_type = 'post';
3137c3104
<         if ( !current_user_can('publish_posts') || !current_user_can('edit_post', $post_ID) )
---
>         if ( !current_user_can('edit_post', $post_ID) )
3375c3342
< ?>
 No newline at end of file
---
> ?>

Visit sucuri.net if you need your web site monitored for security issues, malware, spam, etc. If you currently blacklisted or with malware, we fix it too.

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • Pingback: Tweets that mention WordPress 3.0.3 released (security update) | Sucuri -- Topsy.com()

  • Fabio

    Hey, guys, I’d like to give you a tip.

    In your footer, some links are wrong. Examples:

    . On tour page, your blog link to your tour page
    . On plans and prices, it links to signup2

    Could you check, please?

    • http://armeda.com/ Andres Armeda

      Hey Fabio, thanks for the comment. The link is fixed in both places, we appreciate it!

Share This