WordPress 3.0.5 contains a better fix for the KSES security vulnerability we reported on back in December and which was fixed by WordPress 3.0.4 – but that’s far from the only upgrade contained in this release.
The latest update also includes fixes for two security flaws that allow sufficiently clued-up contributors or authors to increase their permission levels and gain access to content that they are not supposed to see. A fix for an information disclosure vulnerability that allowed authors to see private and draft posts from other users on the same installation is also included in WordPress 3.0.5.
Additional hardening has gone into this newest release, too: plugins that don’t correctly use the WordPress security API now have a harder time of breaking things should they go wrong – which could help limit the impact of badly-written or malicious plugins.
The last line refers, of course, to WordPress 3.1, the next major revision in the pipeline. With a release due imminently, the WordPress team is looking for people to test the latest release candidate for bugs. While WordPress 3.1 RC4 is close to the code that will make up the final release, it’s still a good idea not to try it in a production environment – but you can download the release candidate if you’re willing to risk it.
Read more: http://www.thinq.co.uk/2011/2/8/wordpress-305-plugs-more-security-holes/
These are great WordPress resources – I actually just started digging into a really really solid book on WordPress 3.0. It’s got some really nice code samples, and is written by a few pro WordPress developers (including some from Envato). I’m actually giving away 2 copies of the e-book on my site – check out the details about the e-book and the giveaway here – I think you’ll dig it : http://bit.ly/lq20Ff