WordPress 3.0.4: Critical Security Update Released
WordPress 3.0.4 is released just now. This is a critical security update for all previous WordPress versions.
This update fixes XSS vulnerabilities in the KSES library: “Don’t be case sensitive to attribute names. Handle padded entities when checking for bad protocols. Normalize entities before checking for bad protocols in esc_url().” (r17172)
From the WordPress.org Blog update:
Version 3.0.4 of WordPress, available immediately through the update page in your dashboard or for download here, is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.”
List of Files Revised:
wp-includes/version.php wp-includes/formatting.php wp-includes/kses.php readme.html wp-admin/includes/update-core.php
WordPress users can automatically update through their WordPress dashboard or you can also download from the official WordPress.org site.