WordPress 2.3.3 Is Out
The WordPress blog just revealed that WordPress 2.3.3 is out, and it is supposed to be an “urgent security release.” Here is what it is about:
A flaw was found in our XML-RPC implementation such that a specially crafted request would allow any valid user to edit posts of any other user on that blog.
Honestly I think that these constant security updates are starting to get cumbersome. The good thing is that this time and can update only the xmlrpc.php file.
Finally, there is also a bug on the WP-Forum plugin which is already being exploited, so check the upgrade if you use that plugin on your blog.
14 Responses to “WordPress 2.3.3 Is Out”
The How-To Geek
I’ve disabled the ability for anybody else to trackback… so it’s not a problem for me.
sweet… because that’s what i did.
Jennine, apparently yes.
hi! i’ve been reading your blog daily for a while… thank you for writing such great tips!
and i really don’t want to do the update, mostly because i’m lazy.
could i just replace that one file? will that work?
@Mark Gibson: What would you rather? No security updates and you running a vulnerable copy of WordPress? Upgrading is 10 times easier if you use SVN to do the job — and if you don’t use a web host that doesn’t support shell access or SVN, I highly recommend you switch to one that does (DreamHost comes to mind).
@The How-To Geek: What do you mean by not using trackbacks? The whole point of trackbacks is that somebody else uses them to ping your blog. Even if you yourself don’t use them, that doesn’t mean that somebody else doesn’t use them. If you delete xmlrpc.php, you will receive no incoming pingbacks or trackbacks, which is a downside to what I suggested in comment #1.
Thanks Daniel for posting about this. I wouldn’t have known about this if you hadn’t brought the subject up so many thanks indeed.
Keep up the great work. 🙂
The How-To Geek
If you don’t use trackbacks or external blog editors, there’s really no need for that file, you could just delete it.
If you don’t use trackbacks but you DO use an external blog editor, you could rename it to something else and adjust the URL in your editor.
Showbiz Intriga? Get It From Boy!
such that a specially crafted request would allow any valid user to edit posts of any other user on that blog.
does this mean that this applies only to blogs with multiple authors/users with permission to write and will not affect a one man show/blog?
This is getting a little dull. I use wordpress on more than 8 sites and if you multiply that by the number of plugin updates this generates as well, then it can keep you busy. I appreciate the fact that the software is being “actively worked on” but the update cycle needs to be longer or far more automated.
I still love wordpress though!
yes it’s getting quite cumbersome. It was only about a month ago that we had to upgrade to 2.3.2. Ah well…
I say WordPress needs to ditch
xmlrpc.php. That file has had the most horrendous security track record of any file I’ve ever seen.
I think that XML-RPC support should become a plugin.
Comments are closed.