Skip to main content

WordPress warns of critical flaw

Popular open-source blogging package WordPress has been updated following the discovery of a cross-site scripting vulnerability that can leave earlier versions open to attack from ne'er-do-wells.

The update is described by WordPress founder and developer Matt Mullenweg as 'critical,' affecting the core HTML sanitation library KSES - which, ironically, exists to strip potentially dangerous code out from posts and comments in order to keep the blog secure.

The flaw, which Mullenweg describes as "a very important update to apply to your sites as soon as possible because it fixes a core security bug," upgrades the popular blogging platform to version 3.0.4 - and if you're running an earlier version, it's time to log in to the Dashboard and upgrade, because this update is a doozy.

"I realise an update during the holidays is no fun," Mullenweg explains, "but this one is worth putting down the eggnog for" due to the far-reaching nature of the security bug, which can be exploited to allow remote attackers full access to the blog and even the underlying server platform.

The flaw, which is not believed to be under active exploitation in the wild, was discovered by security researchers Mauro Gentile and Jon Cave, who alerted the WordPress development team so a solution could be developed before details of the flaw were made public.

The fix, which is a simple one-click installation for self-hosted WordPress users, and which has already gone live on the company's own commercial hosting platform, affects a core part of the blogging platform - with the result that Mullenweg is asking security researchers to look over the changeset and check to ensure that the flaw is correctly patched and that the fix hasn't resulted in any more holes appearing.

Details of the fix, as well as a link to manually download the latest version if you're unable to use the one-click upgrade functionality in the WordPress Dashboard, are available on the blog.