April 3, 2007 :: WordPress 2.1.3 and 2.0.10 Security Update

[Mark]

A security update has been released for the WordPress blogging script. Please download the latest update from www.wordpress.org/download/

We have a security update release now available for both the 2.1 and 2.0 branches of WordPress now available for immediate download. This update is highly recommend for all
users of both branches.

These releases include fixes for several publicly known minor XSS issues, one major XML-RPC issue, and a proactive full sweep of the WordPress codebase to protect against future problems. Many thanks to Sumit Siddharth and Alex Concha for their help with reporting issues in this release.

[Jason]

Am I sensing a pattern? 

[Mark]

In what, that they've had 3 updates in 2 months?

[Jason]

They all seem to be security issues lately

[Jason]

Here's a good read I bookmarked a couple of weeks back.  It details all the compromised versions:

http://blogsecurity.net/wordpress/articles/article-230507/

BlogSecurity incrementally harvested the WordPress software version from 50 blogs; the results were frightening to say the least.

The following statement was taken from WordPress: None of these [WordPress Versions] are safe to use, except the latest in the 2.0 or 2.1 series, which are both actively maintained.

Currently (at the time of writing this article) the latest stable versions are:

    * WordPress 2.0.10 and
    * WordPress 2.2

So now that we know where we should be lets breakdown the versions of the 50 blogs we selected:
WordPress Ver    Blogs
1.2    2
1.2-beta    2
1.2.1    3
1.2.2    4
1.5    7
1.5-gamma    1
1.5.1.1    1
1.5.1.2    1
1.5.2    1
2.0    4
2.0.1    3
2.0.2    1
2.0.3    1
2.0.4    6
2.0.5    3
2.0.6    2
2.1    2
2.1.2    2
2.1.3    3
2.2    1
Total    50

In summary, out of the first 50 blogs we selected, 49 of them are potentially vulnerable to known attacks.

[Mark]

Wow, guess some people are to busy to be bothered to update.