WordPress 3.0.4 has been released and it a critical update as it fixes an XSS vulnerability.
It is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as critical.
I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for. In the spirit of the holidays, consider helping your friends as well.
If you are a security researcher, we’d appreciate you taking a look over this changeset as well to review our update. We’ve given it a lot of thought and review but since this is so core we want as many brains on it as possible. Thanks to Mauro Gentile and Jon Cave (duck_) who discovered and alerted us to these XSS vulnerabilities first.
Changelog: WordPress 3.0.4
Download: WordPress 3.0.4
Download: Modified files since WordPress 3.0.3
WordPress 3.1 RC1 has been released.
An RC comes after the beta period and before final release. That means we think we’re done. We currently have no known issues or bugs to squash. But with tens of millions of users, a variety of configurations, and thousands of plugins, it’s possible we’ve missed something. So if you haven’t tested WordPress 3.1 yet, now is the time! Please though, not on your live site unless you’re extra adventurous.
Things to keep in mind:
- With nearly 700 tickets closed, there are tons of changes. Plugin and theme authors, please test your plugins and themes now, so that if there is a compatibility issue, we can figure it out before the final release.
- Users are also encouraged to test things out. If you find problems, let your plugin/theme authors know so they can figure out the cause.
- If any known issues crop up, you’ll be able to find them here.
If you are testing the release candidate and think you’ve found a bug, there are a few ways to let us know:
To test WordPress 3.1, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the release candidate here (zip).
We released WordPress 3.1 Beta 1 on Thanksgiving, so it’s only fitting that the release candidate comes as a Christmas present. Happy holidays and happy testing!
If you’d like to know which levers to pull in your testing, check out a list of features in our Beta 1 post.
Download: WordPress 3.1 RC1
WordPress 3.1 Beta 2 is now available!
Check out the list of known issues or if you want to switch your blog over to the beta, try the WordPress Beta Tester Plugin.
Download: WordPress 3.1 Beta 2
WordPress 3.0.3 has been released and it is yet another security update.
This release fixes issues in the remote publishing interface, which under certain circumstances allowed Author- and Contributor-level users to improperly edit, publish, or delete posts.
These issues only affect sites that have remote publishing enabled.
Remote publishing is disabled by default, but you may have enabled it to use a remote publishing client such as one of the WordPress mobile apps. You can check these settings on the “Settings > Writing” screen.
Changelog: WordPress 3.0.3
Download: WordPress 3.0.3
Download: Modified files since WordPress 3.0.2
WordPress 3.0.2 is out and it is recommended for everyone to upgrade as it is a mandatory security update for all previous WordPress versions.
- Fixed moderate security issue where a malicious Author-level user could gain further access to the site.
- Remove pingback/trackback blogroll whitelisting feature as it can easily be abused.
- [Fixed other issues]
Changelog: WordPress 3.0.2
Download: WordPress 3.0.2
Download: Modified files since WordPress 3.0.1