Andrew Nacin posted on the official WordPress.org blog this evening that a “security hardening update” is available for all WordPress users.
On the cusp of WordPress 3.1, this security update is being applied to both 3.0.5 and 3.1 RC4. Two of the security fixes prevent author and contributor-level users from accessing unauthorized levels of a site. A third fix prevents author-level users from viewing draft and private posts by other authors. Finally, two “security enhancements” were made: one for plugins that don’t use the WordPress security API and the other to further harden security from a previous release, which I assume to be the fix for 3.0.4.
The 3.1 Release Candidate 4 also includes some small bug fixes. I think it’s safe to say we are quite close to the branch release of 3.1, mostly because Nacin tells us so in the haiku 🙂 :
Three point oh point five
Three point one comes soon
As a final note, Nacin thanked “Nils Jueneman and Saddy for their private and responsible disclosures to [email protected] for two of the issues.” I have little doubt that he specifically noted his appreciation for their disclosure method because of how the 3.0.4 release went down in December.
So what are you waiting on? Go and update your site from the dashboard or download your version of choice from the original post.