Heads up to all WordPress users! A new security update – WordPress 3.1.2 was just released a few hours ago. This security release addresses a vulnerability allowing Contributor-level users to improperly publish posts so everyone is strongly advised to update to this latest version especially if user registration is enabled on your WordPress-powered blog or website.

Aside from that, version 3.1.2 also fixes a few other bugs that didn’t make it in the previous version 3.1.1. Thanks to Andrew Nacin and Benjamin Balter for discovering about the security issue and informing the WordPress team about it.

You can download WordPress 3.1.2 and do the upgrade manually or you can choose to do it the easy way via the WordPress admin panel – Dashboard > Updates. Be sure to backup your WordPress database and deactivate all active plugins before performing the upgrade.

Just upgraded JaypeeOnline to WordPress 3.1.2 (manually) a few minutes ago and the upgrade process went smoothly, no issues with the current plugins I’m using.

A few hours ago, Ryan Boren announced via the official WordPress blog the availability of WordPress 3.1.1. This update is a maintenance and security release that contains about thirty patches/fixes to issues found on the 3.1 version like security hardening to media uploads, performance improvements, fixes for IIS6 support, fixes for taxonomy and PATHINFO (/index.php/) permalinks and fixes for various query and taxonomy edge cases causing plugin compatibility issues.

Aside from the issues mentioned above, WordPress 3.1.1 also addresses three security issues that were discovered by Jon Cave and Peter Westwood – both WordPress core developers and members of the WordPress security team.

• Hardens CSRF prevention in the media uploader.
• Avoids a PHP crash in certain environments when handling devilishly devised links in comments.
• Addresses a XSS flaw.

Whether you’ve already upgraded to WordPress 3.1 or not, this is the best time to upgrade your WordPress installation to the latest version.

WordPress 3.1.1 can be downloaded manually from WordPress.org or automatically via the WordPress admin panel – Dashboard > Updates. Personally, I prefer to do the upgrade manually because it has less problems and issues. Make sure that you disable/deactivate all active plugins before you start the upgrade process. This reduces the risk of running into problems or plugin compatibility issues.

Anyone upgraded their blogs to WordPress 3.1.1? What version of WordPress were you running prior to the upgrade? Please share your thoughts.

Two days ago, the WordPress dev team released WordPress 3.0.5 which is a security hardening update that includes security enhancements like improved security of any plugins that didn’t properly leverage security API, additional in-depth defense against vulnerabilities, fix for a information disclosure issue that could’ve allowed author-level users to view content of drafts & private posts and a bug fix for an issue that could’ve allowed contributor or author-level users to gain further access to the website/blog.

WordPress 3.0.5 did its job of fixing the security issues and bugs but it also created a small glitch that stripped advanced HTML from comments. Here’s Mark Jaquith’s explanation about the WordPress 3.0.5 bug.

One of the security fixes for WordPress 3.0.5 was overzealous. It fixed the issue, but it also stripped advanced HTML (on display, not save, thankfully) from comments by people with the unfiltered_html capability. It’s sort of a rare bug — doesn’t apply to multisite installs, and not many people know that Editors and Administrators on single WP installs can use images etc in comments, so we don’t think it warrants another release.

To address/fix this issue, the Akismet team included the hotfix with the release of Akismet 2.5.3. If you’re not using Akismet, you can use the newly created plugin called Hotfix that fixes the WordPress 3.0.5 bug. You might want to keep this plugin for future use as it is designed to fix selected bugs that might come with future versions of WordPress.

Still haven’t upgraded to WordPress 3.0.5? Common now! It only takes a few minutes of your time and it will save you a ton of headaches and problems. Better safe than sorry folks!

You can download WordPress 3.0.5 manually from WordPress.org or do it automatically via the WordPress admin panel – Dashboard > Updates. If you do upgrade your WordPress installation, don’t forget to download the latest version of Akismet or the Hotfix plugin so you won’t get bitten by the WordPress 3.0.5 bug.

Anybody here who’s already upgraded to WordPress 3.0.5? Anyone had issues with the WordPress 3.0.5 bug?

The WordPress dev team has released the WordPress 3.0.4 security update to fix a core security bug in the HTML sanitation library. This particular version or release is classified as “critical” so all self-hosted WordPress users are advised to update/upgrade their WordPress installation ASAP!

Here’s an excerpt of the official announcement from the WordPress blog:

Version 3.0.4 of WordPress, available immediately through the update page in your dashboard or for download here, is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.”

Special thanks and mention goes to Mauro Gentile and Jon Cave, the people who discovered and alerted the WordPress team about the vulnerabilities. Aside from the large number of available free themes and plugins, another thing that makes WordPress awesome is the involvement and support of its community.

Something related to WordPress 3.0.4, I came across Lorelle’s post and it mentions about Dreamhost users who haven’t upgraded to version 3.0.4 had issues logging into their dashboards and found out that some codes have been inserted into a large number of WordPress files.

If you haven’t upgraded your WordPress installation to WordPress 3.0.4, please spare a few minutes of your time to do so. Better safe than sorry folks!

You can download WordPress 3.0.4 manually from WordPress.org or do it automatically via the WordPress admin panel – Dashboard > Updates.

Just a week after they released the WordPress 3.0.2 security update, the WordPress dev team has released another security update early this morning – WordPress 3.0.3. This security update is mandatory for all previous versions of WordPress.

WordPress 3.0.3 fixes issues found in the remote publishing interface that in certain situations could allow Author and Contributor level users to maliciously or improperly edit, publish or delete posts. These issues only affect sites that have remote publishing enabled, so if your blog has remote publishing enabled, it is advised that you upgrade to this security update ASAP. By default, remote publishing is disabled but could be enabled by using remote publishing clients like the WordPress mobile apps. If you’re not sure whether remote publishing is enabled on your blog, you can check it from your WordPress dashboard and going to Settings > Writing.

You can download WordPress 3.0.3 manually from WordPress.org or do it automatically via the WordPress admin panel – Dashboard > Updates.