WordPress 2.8.6

WordPress 2.8.6 has been released. This is a security release.

2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges. If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.

The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations. Thanks to Benjamin and Dawid for finding and reporting these.

Changelog: WordPress 2.8.6
Download: WordPress 2.8.6
Download: Modified files since WordPress 2.8.5

1 Star2 Stars3 Stars4 Stars5 Stars (163 votes, average: 3.92 out of 5)

WordPress 2.8.5

WordPress 2.8.5 has been released. This release makes your WordPress even more secure:

  • A fix for the Trackback Denial-of-Service attack that is currently being seen.
  • Removal of areas within the code where php code in variables was evaluated.
  • Switched the file upload functionality to be whitelisted for all users including Admins.
  • Retiring of the two importers of Tag data from old plugins.

Changelog: WordPress 2.8.5
Download: WordPress 2.8.5
Download: Modified files since WordPress 2.8.4

1 Star2 Stars3 Stars4 Stars5 Stars (254 votes, average: 3.92 out of 5)

WordPress 2.9 Features

Dougal has put up a list of what to expect in WordPress 2.9:

Here is the list:

  • Post Thumbnails: add an image to be automatically displayed with the post in various views (main page, archives, etc.). The WordPress logo on this post is added with this feature, plus a filter I added to my theme’s functions.php file.
  • “Trash” status: deleted items such as posts, pages, and comments now go to the “trash”, and can be recovered later, much like delete files in most modern operating systems.
  • Image editing: basic image manipulation for your media library. You can rotate, flip, resize, and crop images.
  • Widgets outside of sidebars: there is a new template tag called the_widget(), which allows you to put a widget anywhere in your theme.
  • Comment metadata: plugins and themes can now take advantage of arbitrary metadata for comments, just as for posts, pages, and users. This should make it easier to create plugins to highlight “popular” or “hot” comments, among other things.
  • Custom post types: general support for post types other than ‘post’, ‘page’, and ‘attachment’. This plus the custom taxonomy support we already have will go far to address those to like to claim that WordPress is not a ‘real’ CMS. We’ll be able to organize content in ways that I can’t even think of right now (I need more time to brainstorm).
  • Media Embeds: I haven’t had a chance to look over this all the way yet, but it’s basically Viper’s Video Quicktags folded into core (minus the editor buttons at this time), including support for the oEmbed standard. With oEmbed, you can just paste in the URL for a page containing embeddable media, and it can auto-detect the proper way to embed it in your post. Supported services so far appear to be YouTube, Google Video, PollDaddy, and DailyMotion. Plus, theoretically, any service that supports oEmbed, which currently includes YouTube, Flickr, Vimeo, Viddler, Qik, and Hulu, among others (according to the oEmbed site). Whoah, awesome! I’ll post a demo of this soon, but you can read Viper007Bond’s post now for more details.
  • register_theme_directory(): plugins can now add additional theme directories to be searched. This means that a theme can basically come bundled with its own themes. I’ve already got a project that’s been on the back-burner that can use this feature. I think we might seem some nifty uses appearing in the future.

For more information, check out Dougal’s post on WordPress 2.9 Features

1 Star2 Stars3 Stars4 Stars5 Stars (132 votes, average: 3.70 out of 5)

WordPress 2.8.4

WordPress 2.8.4 has been released and also similar to WordPress 2.8.3, this is a security fix.

Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.

Changelog: WordPress 2.8.4
Download: WordPress 2.8.4
Download: Modified files since WordPress 2.8.3

1 Star2 Stars3 Stars4 Stars5 Stars (565 votes, average: 3.85 out of 5)

WordPress 2.8.3

WordPress 2.8.3 has been released and similar to WordPress 2.8.2, this is a security fix.

Unfortunately, I missed some places when fixing the privilege escalation issues for 2.8.1. Luckily, the entire WordPress community has our backs. Several folks in the community dug deeper and discovered areas that were overlooked. With their help, the remaining issues are fixed in 2.8.3. Since this is a security release, upgrading is highly recommended

Changelog: WordPress 2.8.3
Download: WordPress 2.8.3
Download: Modified files since WordPress 2.8.2

1 Star2 Stars3 Stars4 Stars5 Stars (291 votes, average: 3.72 out of 5)