WordPress 3.0.2 is made available today, and it is a mandatory security update for all previous WordPress versions. This maintenance release fixes a moderate security issue where a malicious Author-level user could gain further access to the site. This release also addresses a handful of bugs, and provides some additional security enhancements. Big thanks to Vladimir Kolesnikov for detailed and responsible disclosure of the security issue!
We advise that you update immediately even if you do not have untrusted users. (Use our ultimate guide to Upgrade WordPress to make sure you do everything right)
Full list of updates made in this version:
- Fix moderate security issue where a malicious Author-level user could gain further access to the site.
- Remove pingback/trackback blogroll whitelisting feature as it can easily be abused.
- Fix canonical redirection for permalinks containing %category% with nested categories and paging.
- Fix occasional irrelevant error messages on plugin activation.
- Minor XSS fixes in request_filesystem_credentials() and when deleting a plugin.
- Clarify the license in the readme
- Multisite: Fix the delete_user meta capability
- Multisite: Force current_user_can_for_blog() to run map_meta_cap() even for super admins
- Multisite: Fix ms-files.php content type headers when requesting a URL with a query string
- Multisite: Fix the usage of the SUBDOMAIN_INSTALL constant for upgraded WordPress MU installs
What are you waiting for? Upgrade NOW!!!