An update to the popular WordPress blogging platform fixes a known security hole that could have enabled a malicious contributor to gain wider control over the blog to which he or she contributed.
WordPress 3.0.2 was posted on Tuesday. The privilege escalation hole was described as of “moderate” severity. IN addition to that fix, the latest update includes a fix for a trackback white listing feature that allowed comment spammers to bypass features that limited trackbacks or pingbacks from previously unknown individuals, as well as a cross site scripting issue described as “minor.”
WordPress, one of the most popular blogging platforms, has been the target of large scale hacks before. In April, malicious hackers took advantage of incorrectly configured WordPress installations on servers belonging to Network Solutions to redirect thousands of Web domains running WordPress to a Web domain that served up malicious content. In November, 2009, WordPress installations were the target of a Web based attack that tried to crack administrative passwords to WordPress blogs.
WordPress 3.0.2 is described as a madatory security update for sites running previous editions of the software. It can be downloaded and installed directly from hosting providers or from the WordPress Web site.
