WordPress 2.2.3 closes security holes
The developers of the WordPress open-source blog system have published version 2.2.3 of the software, which closes two security holes. In previous versions, attackers could remotely inject SQL commands via the XMLRPC interface by transferring specially crafted URLs in order to obtain user credentials. The second vulnerability allowed attackers without unfiltered_html capability to post arbitrary HTML code in a blog entry by means of manipulated HTTP-POST queries.
The other changes that the developers summarize in the change log relate to minor flaws. The developers recommend that WordPress users update to the new version, which is available at the project's websites for downloading.
- Remote SQL Injection in WordPress and WordPress MU, Alexander Concha's security advisory
- Users without unfiltered_html capability can post arbitrary html, entry in the WordPress database of flaws
- List of the flaws remedied in WordPress 2.2.3
- Download the current version of WordPress