Today, WordPress 3.0.2 is released, and it is a security update for all previous WordPress versions.
This maintenance release addresses a minor security vulnerability in which a rogue Author-level user might acquire additional site access. This update also fixes a few problems and adds some new security features. Many thanks to Vladimir Kolesnikov for revealing the security flaw in such a thorough and ethical manner!
Even if you don’t have any untrusted users, we recommend that you update right away. (Use our full guide to WordPress Upgrade to make sure you’re doing everything correctly.)
The following is a list of all the changes made in this version:
- Fix a minor security flaw that allowed a malicious Author-level user to obtain additional access to the site.
- The pingback/trackback blogroll whitelisting feature should be removed because it is readily abused.
- Fix canonical redirection for permalinks with nested categories and paging that contain percent category percent.
- Fix some of the plugin activation error messages that aren’t always applicable.
- Request filesystem credentials() and when uninstalling a plugin both have minor XSS fixes.
- In the readme, make the licensing clear.
- Fix the delete user meta capability in multisite.
- Force current user can for blog() to run map meta cap() even for super admins on multisite.
- When requesting a URL with a query string, fix the content type headers in ms-files.php.
- For upgraded WordPress MU installs, fix the use of the SUBDOMAIN INSTALL constant.
So, what exactly are you waiting for? Upgrade RIGHT NOW!!