If you haven’t read or seen the announcement on your WP Dashboard, several hours ago the WordPress Development team released WordPress 2.3.3 as an urgent security release. They found a flaw in the way XML-RPC was implemented and that it allowed a valid user to edit posts of a different user on that blog via a well designed request. Aside from this issue, WP 2.3.3 also these minor bugs:
- gettext fails to determine byteorder on 64bit systems with php5.2.1
- some registration emails fail in 2.3.1 b/c of “callout verification”
- maybe_create_table call to config.php issue
Doing the full upgrade is good but if you don’t have the time to upgrade your WordPress installation and just want to be safe, all you need to do is download the fixed version of the xmlrpc.php and replace the existing one in your WordPress folder.
An additional warning is issued regarding the WP Forum plugin which contains a vulnerability that is still actively exploited. If you’re running this plugin, it is strongly advised that you remove it until an updated version is made available.
Have you updated your WordPress installation already? Did you experience any conflicts and/or issues during and after the upgrade process? Please share your thoughts by leaving a comment below.
@sasha – You’re welcome! :)
the information is really useful! Thanks!
@estan – If you don’t have time to do the full upgrade, you can just download the fixed xmlrpc.php file and overwrite the old one. That shouldn’t take more than a couple minutes of your time. :D
well, i’m pressed for time right now. but thanx for this info.
@K – It’s all good! As I mentioned in my post, doing the complete upgrade is good but not compulsary because the flaw is found only in the xmlrpc.php file. At least you learned a lesson about reading instructions carefully and about changing passwords, right? Next time, you’ll know what to do. :D
I’m so engot talaga. I actually updated the whole wp files. COMPLETE. I didn’t read carefully, isa lang pala kailangan. Sometimes this upgrade is confusing and not clear to me, wordpress should list down what file and how-to instructions so it’s easy for everyone. Pero, ok lang at least it gives me the idea na we should change our password every often.
@jhay – Really? How many blogs did you upgrade last night? Upgrading a WordPress installation is fun but when you have multiple blogs to maintain, it can be very time consuming. Having a fast Internet connection helps in speeding up the upgrade process. :)
@deric – You’re welcome! Glad to be of help. I see that you’re using Windows Live Writer. I’ve tried it but I just can’t seem to get used to it. I dunno why. Probably coz I want to have full control of how I compose my posts and the way they’re formatted. :D
Btw, how long have you been using Windows Live Writer? Do you use it all the time or only for the nursing site?
I just upgraded all my blogs last night. It was a marathon upgrade session really. :mrgreen:
thanks Jaypee for highlighting the issue about xml-rpc. That file is essential for my windows live writer to connect to my nursing site. It’s good to know that they’d fix the flaw already. :mrgreen: