WordPress warns of critical flaw, update to 3.0.4 immediately

Filed Under: Vulnerability

The WordPress team has alerted WordPress users to a critical XSS flaw in versions 3.0.3 and previous. WordPress has not sent out many alerts of this importance, and during the holiday downtime it increases the difficulty for many teams to consider upgrading.

On initial inspection it would appear to be quite trivial for folks with malicious intent to exploit these flaws, so consider applying this update before popping the cork on the bubbly on New Years Eve.

WordPress users who have subscribed to their security mailing list should have already received a notice of the update.WordPress email alert for 3.0.4The email states:

First off, happy holidays. :) I hope this time of the year, chilly for many of you, has given you time to enjoy family, friends, and loved ones and reflect on the year before and the year to come.

My last message to you this year is an important but unfortunate one: we've fixed a pretty critical vulnerability in WordPress' core HTML sanitation library, and because this library is used lots of places it's important that everyone update as soon as possible.

I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for. In the spirit of the holidays, consider helping your friends as well.

You can update in your dashboard, on the "updates" tab, or download the latest WordPress here:


The official release announcement is here:


Merry WordPressing in 2011,
Matt Mullenweg

Looking at the source code changes it would appear that the flaws exist in parts of the code which are case-sensitive when detecting which protocols are allowed in certain parts of the application. The update prohibits evading the rules with mixed case input.

Bloggers hosting their own instance of WordPress are advised to update immediately. Those of us at SophosLabs will be sure to update Naked Security readers if this is seen to be exploited in the wild.

, ,

You might like

6 Responses to WordPress warns of critical flaw, update to 3.0.4 immediately

  1. Updated. Thanks lads.

  2. ksk · 1744 days ago

    how come there are always....flaws....AND GIANT ONES>>>>

  3. jvrudnick · 1744 days ago

    timely notice here, Chet...much obliged for my own and my clients WP security, eh!



  4. Fortunately (for me), I have already updated all of mine.


  5. there is little flaw in WordPress 3.0.4 that I found...... its vulnerable to XSS if attacker has been assigned the role of editor

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.