Went to the Aussie Bloggers forums this morning and spotted this post on an urgent WordPress upgrade (yes, I usually troll in the forums early in the morning instead of reading RSS feeds). WordPress 2.3.3 has been released fixing a few minor bugs and a security issue. Yes, again -- less than two months after WordPress 2.3.2 was released that fixed an issue exposing your draft posts. WordPress of 2008 almost felt like phpBB2 of 2005 to me.
Yes. Please call all your friends who have a self-hosted WordPress blogs and get them to upgrade to the very latest version.
To see what has been changed from WordPress 2.3.2 to 2.3.3, you can use the following Subversion commands:
$ svn diff --old=http://svn.automattic.com/wordpress/tags/2.3.2 \ --new=http://svn.automattic.com/wordpress/tags/2.3.3
Which includes the diff of the five files that have been changed. The biggest change came from
xmlrpc.php, in change set 6715, where Ryan tries to fix this security issue (yes the ticket was opened in November last year and only managed to get fixed yesterday, 3 months later). Basically, capability checking is done before determining whether the operation is editing a post -- if post type is "post". So any account can edit posts and pages via XML-RPC by faking post type as "page". For more detail on this exploit, see The Seeker Blog, and it appears to be "going wild" at the moment.
The fix also only comes in 2.3 flavour, whereas the concept of "page" has been there in WordPress since 2.0. That also means, all you 2.0/2.1/2.2 users are still vulnerable. You have to upgrade to the latest stable branch, although not all existing plugins and themes work with 2.3...
I think I am starting to agree with Mark...