WordPress.org

0.6.2

• Added missing xmlrpc.php

0.6.1

• Sends X-XSS-Protection header

0.6

• WP 3.1: CSRF prevention in media uploader (r17659)
• WP 2.6-3.1.2: Partial backport of r17710 (better than nothing)
• Pre-3.1.1: Partial fix for #16892 (r17571)
• Pre-3.1.3: Backported what I could (added sanitize_mime_type(), set filters to (pre_)post_guid, (pre_)post_mime_type)
• Backported esc_url() and esc_url_raw() functions from WP 2.8
• Added esc_url(raw) to pre_comment_author_url, (pre)user_url, (pre_)link_url, (pre_)link_image, (pre_)link_rss, comment_url filters
• A lot of code has been rewritten
• Pre-3.1.3: anti-clickjacking header (see HTTP Headers to Secure Your Website)
• Fixed SEC-20110701-0

0.5

• Backport of r17172 for wp-includes/formatting.php (affects 2.3.1-3.0.3; cannot be fixed in 2.3.0)

0.4

• Backport of r17393, r17387, r17400, r17406 from 3.0.5.

0.3

• First stable version (thanks to Sergey Biryukov) for the patches
• SA23621 is partially fixed (it remains not fixed even in the current WP)
• Hides versions of the used scripts and stylesheets
• Due to numerous requests, the plugin hides All in One SEO Pack's version

0.2

• Bug fixes
• Forcefully sets the default CSS/JS version to 0.0 (by default it matches the WordPress version)

0.1

• disables trackback/pingback whitelisting (fixed in 3.0.2, exists since 1.x)
• tries to protect against SQL truncation attack during signup
• stops SQL injection attack when processing trackbacks
• CVE-2008-4769
• closes old slug redirect vulnerability
• tries to fix redirection bug to file:// and scp:// (you must have really old cURL if you are hit with this bug)
• stops SQL injection attack in wp_insert_attachment()
• stupid trick to fight the feed replacement vulnerability
• PRNG attack protection;
• tries to fix 2.7.x/2.8.x admin remote code execution
• fixes 2.5 Cookie Integrity Protection Vulnerability
• fixes 2.5.1 reset password bug