WordPress Development Blog » Releases

WordPress 2.8.6 Security Release

Ryan Boren — Thu, 12 Nov 2009 19:17:20 +0000

2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges. If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.

The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations. Thanks to Benjamin and Dawid for finding and reporting these.

Get WordPress 2.8.6.

WordPress 2.8.5: Hardening Release

Peter Westwood — Tue, 20 Oct 2009 23:30:00 +0000

As you know over the past couple of months we have been working on the new features for WordPress 2.9. We have also been working on trying to make WordPress as secure as possible and during this process we have identified a number of security hardening changes that we thought were worth back-porting to the 2.8 branch so as to get these improvements out there and make all your sites as secure as possible.

The headline changes in this release are:

A fix for the Trackback Denial-of-Service attack that is currently being seen.
Removal of areas within the code where php code in variables was evaluated.
Switched the file upload functionality to be whitelisted for all users including Admins.
Retiring of the two importers of Tag data from old plugins.

We would recommend that all sites are upgraded to this new version of WordPress to ensure that you have the best available protection.

If you think your site may have been hit by one of the recent exploits and you would like to make sure that you have cleared out all traces of the exploit then we would recommend that you take a look at the WordPress Exploit Scanner. This is a plugin which searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames. You can read more about this plugin here – “WordPress Exploit Scanner“

WordPress 2.8.4: Security Release

Matt — Wed, 12 Aug 2009 01:41:54 +0000

Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.

We fixed this problem last night and have been testing the fixes and looking for other problems since then. Version 2.8.4 which fixes all known problems is now available for download and is highly recommended for all users of WordPress.

WordPress 2.8.3 Security Release

Ryan Boren — Mon, 03 Aug 2009 15:30:54 +0000

Unfortunately, I missed some places when fixing the privilege escalation issues for 2.8.1. Luckily, the entire WordPress community has our backs. Several folks in the community dug deeper and discovered areas that were overlooked. With their help, the remaining issues are fixed in 2.8.3. Since this is a security release, upgrading is highly recommended. Download 2.8.3, or upgrade automatically from your admin.

WordPress 2.8.2

Ryan Boren — Mon, 20 Jul 2009 05:35:45 +0000

WordPress 2.8.2 fixes an XSS vulnerability. Comment author URLs were not fully sanitized when displayed in the admin. This could be exploited to redirect you away from the admin to another site. Download 2.8.2 or automatically upgrade from the Tools->Upgrade page of your blog’s admin.

WordPress 2.8.1

Ryan Boren — Thu, 09 Jul 2009 20:20:54 +0000

WordPress 2.8.1 fixes many bugs and tightens security for plugin administration pages. Core Security Technologies notified us that admin pages added by certain plugins could be viewed by unprivileged users, resulting in information being leaked. Not all plugins are vulnerable to this problem, but we advise upgrading to 2.8.1 to be safe.

What else is new since 2.8? Read through the highlights below, or view all changes since 2.8

Certain themes were calling get_categories() in such a way that it would fail in 2.8. 2.8.1 works around this so these themes won’t have to change.
Dashboard memory usage is reduced. Some people were running out of memory when loading the dashboard, resulting in an incomplete page.
The automatic upgrade no longer accidentally deletes files when cleaning up from a failed upgrade.
A problem where the rich text editor wasn’t being loaded due to compression issues has been worked around.
Extra security has been put in place to better protect you from plugins that do not do explicit permission checks.
Translation of role names fixed.
wp_page_menu() defaults to sorting by the user specified menu order rather than the page title.
Upload error messages are now correctly reported.
Autosave error experienced by some IE users is fixed.
Styling glitch in the plugin editor fixed.
SSH2 filesystem requirements updated.
Switched back to curl as the default transport.
Updated the translation library to avoid a problem with mbstring.func_overload.
Stricter inline style sanitization.
Stricter menu security.
Disabled code highlighting due to browser incompatibilities.
RTL layout fixes.

WordPress 2.8.1 Release Candidate 1

Ryan Boren — Tue, 07 Jul 2009 17:04:45 +0000

2.8.1 is nigh. Release Candidate 1 is our last stop before the final release. Please download RC1, review the changes made since beta 2, and have a look at all of the tickets fixed in 2.8.1. Thanks for testing WordPress.

WordPress 2.8.1 Beta 2

Ryan Boren — Fri, 26 Jun 2009 20:06:31 +0000

2.8.1 Beta 2 is ready for testing. Download it, check out the changes since beta 1, and review all tickets fixed in 2.8.1. We especially suggest, recommend, and beg that plugin developers test their plugins against beta 2 and let us know of any issues. Notable fixes in beta 2:

Translation of role names fixed
wp_page_menu() defaults to sorting by the user specified menu order rather than the page title
Upload error messages are now correctly reported
Autosave error experienced by some IE users is fixed
Styling glitch in the plugin editor fixed
SSH2 filesystem requirements updated
Switched back to curl as the default transport
Updated the translation library to avoid a problem with mbstring.func_overload

Thanks again for testing WordPress.

WordPress 2.8.1 Beta 1

Ryan Boren — Sun, 21 Jun 2009 00:05:14 +0000

We’ve started work on the first maintenance release to 2.8. 2.8.1 will fix a handful of bugs that turned up in 2.8. Today we’re releasing the first beta of 2.8.1. Download it, and check out the bugs fixed so far. Here are some of the notable issues that are fixed in beta 1.

Certain themes were calling get_categories() in such a way that it would fail in 2.8. 2.8.1 works around this so these themes won’t have to change.
Dashboard memory usage is reduced. Some people were running out of memory when loading the dashboard, resulting in an incomplete page.
The automatic upgrade no longer accidentally deletes files when cleaning up from a failed upgrade.
A problem where the rich text editor wasn’t being loaded due to compression issues has been worked around.
Extra security has been put in place to better protect you from plugins that do not do explicit permission checks.

If you would like to automatically upgrade from 2.8 to 2.8.1 Beta 1, follow these instructions. Thanks for testing WordPress.

2.8 Release Jazzes Themes and Widgets

Matt — Thu, 11 Jun 2009 02:01:39 +0000

I’m very excited to announce to everyone that the latest and greatest version of WordPress, version 2.8 “Baker,” is immediately available for download. 2.8 represents a nice fit and finish release for WordPress with improvements to themes, widgets, taxonomies, and overall speed. We also fixed over 790 bugs. This release is named in honor of noted trumpeter and vocalist Chet Baker. Here’s a quick video overview of everything in the new release:

The first thing you’ll notice is that visually 2.8 feels a lot like 2.7, just with some minor tweaks here and there. However once you’ll dig in you’ll begin to appreciate the changes.

Major New Improvements

First and foremost, 2.8 is way faster to use. We’ve changed the way WordPress does style and scripting.

The core and plugin updaters in previous versions of WordPress have been such a success we decided to bring the same to themes. You can now browse the entire theme directory and install a theme with one click from the comfort of your WordPress dashboard.

If you make edits or tweaks to themes or plugins from your dashboard, you’ll appreciate the new CodePress editor which gives syntax highlighting to the previously-plain editor. Also there is now contextual documentation for the functions in the file you’re editing linked right below the editor.

If you were ever frustrated with widgets before, this release should be your savior. We’ve completely redesigned the widgets interface (which we didn’t have time to in 2.7) to allow you to do things like edit widgets on the fly, have multiple copies of the same widget, drag and drop widgets between sidebars, and save inactive widgets so you don’t lose all their settings. Developers now have access to a much cleaner and robust API for creating widgets as well.

Finally you should explore the new Screen Options on every page. It’s the tab in the top right. Now, for example, if you have a wide monitor you could set up your dashboard to have four columns of widgets instead of the two it has by default. On other pages you can change how many items show per page.

And Even More

You can read the full list of over 180 new features, changes, upgrades, and improvements on the Codex. The list is exhausting!

The Future

We’re already thinking hard about the next versions, 2.9 and 3.0. Keep an eye out for improved media handling, better dependency checking, versioning of templates and themes, and of course the fabled merging of WordPress and MU announced at WordCamp San Francisco two weeks ago.