WordPress 3.0.4: Critical Security Update Released

WordPress 3.0.4 is released just now. This is a critical security update for all previous WordPress versions.

This update fixes XSS vulnerabilities in the KSES library: “Don’t be case sensitive to attribute names. Handle padded entities when checking for bad protocols. Normalize entities before checking for bad protocols in esc_url().” (r17172)

From the WordPress.org Blog update:

Version 3.0.4 of WordPress, available immediately through the update page in your dashboard or for download here, is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.”

List of Files Revised:

wp-includes/version.php  wp-includes/formatting.php  wp-includes/kses.php  readme.html  wp-admin/includes/update-core.php

WordPress users can automatically update through their WordPress dashboard or you can also download from the official WordPress.org site.

You may also like...