WordPress warns of critical flaw, update to 3.0.4 immediately

The WordPress team has alerted WordPress users to a critical XSS flaw in versions 3.0.3 and previous. WordPress has not sent out many alerts of this importance, and during the holiday downtime it increases the difficulty for many teams to consider upgrading.

On initial inspection it would appear to be quite trivial for folks with malicious intent to exploit these flaws, so consider applying this update before popping the cork on the bubbly on New Years Eve.

WordPress users who have subscribed to their security mailing list should have already received a notice of the update.WordPress email alert for 3.0.4The email states:

First off, happy holidays. 🙂 I hope this time of the year, chilly for many of you, has given you time to enjoy family, friends, and loved ones and reflect on the year before and the year to come.

My last message to you this year is an important but unfortunate one: we’ve fixed a pretty critical vulnerability in WordPress’ core HTML sanitation library, and because this library is used lots of places it’s important that everyone update as soon as possible.

I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for. In the spirit of the holidays, consider helping your friends as well.

You can update in your dashboard, on the “updates” tab, or download the latest WordPress here:


The official release announcement is here:


Merry WordPressing in 2011,
Matt Mullenweg

Looking at the source code changes it would appear that the flaws exist in parts of the code which are case-sensitive when detecting which protocols are allowed in certain parts of the application. The update prohibits evading the rules with mixed case input.

Bloggers hosting their own instance of WordPress are advised to update immediately. Those of us at SophosLabs will be sure to update Naked Security readers if this is seen to be exploited in the wild.