If you haven’t read or seen the announcement on your WP Dashboard, several hours ago the WordPress Development team released WordPress 2.3.3 as an urgent security release. They found a flaw in the way XML-RPC was implemented and that it allowed a valid user to edit posts of a different user on that blog via a well designed request. Aside from this issue, WP 2.3.3 also these minor bugs:
- gettext fails to determine byteorder on 64bit systems with php5.2.1
- some registration emails fail in 2.3.1 b/c of “callout verification”
- maybe_create_table call to config.php issue
Doing the full upgrade is good but if you don’t have the time to upgrade your WordPress installation and just want to be safe, all you need to do is download the fixed version of the xmlrpc.php and replace the existing one in your WordPress folder.
An additional warning is issued regarding the WP Forum plugin which contains a vulnerability that is still actively exploited. If you’re running this plugin, it is strongly advised that you remove it until an updated version is made available.
Have you updated your WordPress installation already?
WordPress 2.3.3 is an urgent security release. A flaw was found in our XML-RPC implementation such that a specially crafted request would allow any valid user to edit posts of any other user on that blog. In addition to fixing this security flaw, 2.3.3 fixes a few minor bugs. If you are interested only in the security fix, download the fixed version of xmlrpc.php and copy it over your existing xmlrpc.php. Otherwise, you can get the entire release here.
Also, there is a vulnerability in the WP-Forum plugin that is being actively exploited right now. If you are using this plugin, please remove it until an update is available.
Since we are talking security, remember to use strong passwords and change them regularly. While you’re updating WP and your plugins, consider refreshing your passwords.
Written by 
February 12th, 2008 at 12:38 pm
@sasha – You’re welcome! :)
February 12th, 2008 at 12:52 am
the information is really useful! Thanks!
February 7th, 2008 at 11:55 pm
@estan – If you don’t have time to do the full upgrade, you can just download the fixed xmlrpc.php file and overwrite the old one. That shouldn’t take more than a couple minutes of your time. :D
February 7th, 2008 at 11:51 pm
well, i’m pressed for time right now. but thanx for this info.
estan’s last blog post..The stunning cascades of Aliwagwag Falls
February 6th, 2008 at 8:35 am
@K – It’s all good! As I mentioned in my post, doing the complete upgrade is good but not compulsary because the flaw is found only in the xmlrpc.php file. At least you learned a lesson about reading instructions carefully and about changing passwords, right? Next time, you’ll know what to do. :D
February 6th, 2008 at 8:34 am
I’m so engot talaga. I actually updated the whole wp files. COMPLETE. I didn’t read carefully, isa lang pala kailangan. Sometimes this upgrade is confusing and not clear to me, wordpress should list down what file and how-to instructions so it’s easy for everyone. Pero, ok lang at least it gives me the idea na we should change our password every often.
K’s last blog post..Lucky is the home with a plant that blooms on New Year’s Day
February 5th, 2008 at 4:00 pm
@jhay – Really? How many blogs did you upgrade last night? Upgrading a WordPress installation is fun but when you have multiple blogs to maintain, it can be very time consuming. Having a fast Internet connection helps in speeding up the upgrade process. :)
February 5th, 2008 at 2:59 pm
I just upgraded all my blogs last night. It was a marathon upgrade session really. :mrgreen:
jhay’s last blog post..First ever TEAM ATENEO-LA SALLE T-shirt now available
February 5th, 2008 at 12:20 pm
@deric – You’re welcome! Glad to be of help. I see that you’re using Windows Live Writer. I’ve tried it but I just can’t seem to get used to it. I dunno why. Probably coz I want to have full control of how I compose my posts and the way they’re formatted. :D
Btw, how long have you been using Windows Live Writer? Do you use it all the time or only for the nursing site?
February 5th, 2008 at 12:19 pm
thanks Jaypee for highlighting the issue about xml-rpc. That file is essential for my windows live writer to connect to my nursing site. It’s good to know that they’d fix the flaw already. :mrgreen:
deric’s last blog post..FINAL: Nursing Board Licensure Exam Results for December 2007