WordPress 3.0.2 mandatory security update

This is a mandatory security update for all previous WordPress versions.

This maintenance release fixes a moderate security issue where a malicious Author-level user could gain further access to the site. This release also addresses a handful of bugs, and provides some additional security enhancements.

Summary

  • Fix moderate security issue where a malicious Author-level user could gain further access to the site.

Other bugs and security hardening:

  • Remove pingback/trackback blogroll whitelisting feature as it can easily be abused.
  • Fix canonical redirection for permalinks containing¬†%category% with nested categories and paging.
  • Fix occasional irrelevant error messages on plugin activation.
  • Minor XSS fixes in request_filesystem_credentials() and when deleting a plugin.
  • Clarify the license in the readme
  • Multisite: Fix the delete_user meta capability
  • Multisite: Force current_user_can_for_blog() to run map_meta_cap() even for super admins
  • Multisite: Fix ms-files.php content type headers when requesting a URL with a query string
  • Multisite: Fix the usage of the SUBDOMAIN_INSTALL constant for upgraded WordPress MU installs

List of Files Revised

wp-includes/ms-files.php
wp-includes/version.php
wp-includes/comment.php
wp-includes/functions.php
wp-includes/load.php
wp-includes/canonical.php
wp-includes/capabilities.php
readme.html
wp-admin/includes/plugin.php
wp-admin/includes/file.php
wp-admin/includes/update-core.php
wp-admin/plugins.php

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.