Already 10 days of WordPress 2.9 released and WordPress 2.9.1 Release Candidate 1 is out today. However, I won’t be upgrading my blog to 2.9 until the next release of 2.9.1 version by next year and below are the coolest new features in 2.9 version: –

  • Global undo/”trash” feature
  • Built-in image editor
  • Batch plugin update and compatibility checking
  • Easier video embeds

This WordPress 2.8.6 release fixes two security problems that can be exploited by registered, logged in users who have posting privileges. Please upgrade to 2.8.6 if your blog have untrusted authors. Thanks to Benjamin Flesch for discovering the first problem which is a XSS vulnerability in Press This and thanks to Dawid Golunski for discovering an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations.

I had upgraded my blog to 2.8.6 as of you are reading this post. So, upgrade yours to avoid any exploitation.

Source: WordPress

WordPress 2.8.5 is a harden release of 2.8 branch released on October 21, 2009. This 2.8.5 version will make your site as secure as possible with the changes below: –

  • A fix for the Trackback Denial-of-Service attack that is currently being seen.
  • Removal of areas within the code where php code in variables was evaluated.
  • Switched the file upload functionality to be whitelisted for all users including Admins.
  • Retiring of the two importers of Tag data from old plugins.

WordPress is recommending all users to upgrade to this new version to ensure your site has the best available protection. Upgrade time…

Source: WordPress

WordPress 2.8.4 is released on August 11, 2009 because a vulnerability was discovered a day before. This vulnerability is a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. This vulnerability is critical because the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. As the result, this doesn’t allow remote access but it is very annoying to all WordPress users. So, do proceed with your WordPress upgrade now.

Source: WordPress