WordPress update for better security
In the new version of WordPress, version 2.0.5, the developers have fixed bugs which include several security vulnerabilities. A correction to user administration in user-edit.php prevents non-privileged WordPress users from accessing personal data from other accounts. Checks for entered file names have been added to the wp-db-backup.php database backup plugin, to prevent, for instance, illegal data access outside the intended folder.
Read database access, including in the options.php script, has been secured against so-called unserialized attacks, which could be used to disable a server. In older versions, it was potentially possible for WordPress users to write strings to the database which would be passed unfiltered to the unserialize() PHP function when read from the database. This could be exploited by, for example, using short strings to use up large amounts of disk space, which could lead the system to crash.
In total, more than 50 fixes have been made in WordPress 2.0.5. Because of the security fixes, the developers recommend all WordPress administrators to update to the new version.
- Developer notes on version 2.0.5 on the WordPress website.