The open source WordPress blogging platform is out with version 3.0.5, a new update fixing at least five security issues.
Two of the issues are Cross Site Scripting (XSS) flaws which I personally consider to be serious. WordPress considers the issues to be *moderate*. In general for me, an XSS flaw that can be triggered by non-admins is a serious issue.
There is also a fix for an information disclosure issue that WordPress warns, could have enabled a non-admin author to view posts that they aren’t authorized to see.
The other two security issues that WordPress 3.0.5 addresses are actually enhancements to further improve security on the blogging platform.
One of them is a new feature that forces HTML filtering on comment text in the admin. The other is a hardened check_admin_referer() when called without arguments, which plugins should avoid. Both improvements are what WordPress in their release notes refer to as ‘defense in depth’ techniques to further improve security.
