The latest version of popular open-source blogging platform WordPress, version 3.0.5, has been released - and if you have a public-facing installation, it brings important security fixes.
WordPress 3.0.5 contains a better fix for the KSES security vulnerability we reported on back in December and which was fixed by WordPress 3.0.4 - but that's far from the only upgrade contained in this release.
The latest update also includes fixes for two security flaws that allow sufficiently clued-up contributors or authors to increase their permission levels and gain access to content that they are not supposed to see. A fix for an information disclosure vulnerability that allowed authors to see private and draft posts from other users on the same installation is also included in WordPress 3.0.5.
Additional hardening has gone into this newest release, too: plugins that don't correctly use the WordPress security API now have a harder time of breaking things should they go wrong - which could help limit the impact of badly-written or malicious plugins.
In the release notes, WordPress core developer Andrew Nacin advised users to upgrade in haiku form:
"Three point oh point five
Three point one comes soon."
The last line refers, of course, to WordPress 3.1, the next major revision in the pipeline. With a release due imminently, the WordPress team is looking for people to test the latest release candidate for bugs. While WordPress 3.1 RC4 is close to the code that will make up the final release, it's still a good idea not to try it in a production environment - but you can download the release candidate if you're willing to risk it.
For users who prefer the stable builds, WordPress 3.0.5 is available immediately through the one-click upgrade option in the WordPress Dashboard, or as a manual download from WordPress.org.