WordPress 3.0.2 is available is now available and WP is calling this a mandatory security update for all previous versions.
The 3.0.2 maintenance release specifically addresses an Author-level security loophole that was allowing Author-level users to gain access to higher level site features… NOT GOOD!
3.0.2 addresses some other features as well but it’s pretty much all centered around database security.
Update WordPress Automatically:
You can update your Worpdress blog to 3.0.2 automatically.
Next time you login to your dashboard, you should see a message at the top of your dashboard announcing the update – just click the “Update automatically” button and follow the steps from there.
Here’s the summary from the maintenance release:
- Fix moderate security issue where a malicious Author-level user could gain further access to the site. (r16625)
Other bugs and security hardening:
- Remove pingback/trackback blogroll whitelisting feature as it can easily be abused. (#13887)
- Fix canonical redirection for permalinks containing %category% with nested categories and paging. (#x13471)
- Fix occasional irrelevant error messages on plugin activation. (#15062)
- Minor XSS fixes in request_filesystem_credentials() and when deleting a plugin. (r16367, r16373)
- Clarify the license in the readme (r15534)
- Multisite: Fix the delete_user meta capability (r15562)
- Multisite: Force current_user_can_for_blog() to run map_meta_cap() even for super admins (#15122)
- Multisite: Fix ms-files.php content type headers when requesting a URL with a query string (#14450)
- Multisite: Fix the usage of the SUBDOMAIN_INSTALL constant for upgraded WordPress MU installs (#14536)