Critical WordPress Security Defect Found and Fixed in 2.0.7

By Angsuman Chakraborty, Gaea News Network
Thursday, January 11, 2007

While WordPress 2.0.6 is still hot a serious security defect (SQL injection attack) was found and fixed in WordPress 2.0.7, which is currently available as RC1 (release candidate 1). The key defects fixed are:
Security defect
Worked around a PHP bug for PHP 4.x less than 4.4.3 and PHP 5.x less than 5.1.4 with register_globals ON that could potentially lead to SQL injection and other security breaches.

Feed defects

  1. Feeds should properly show 304 Not Modified headers (a.k.a. the FeedBurner bug) instead of mismatched 200/304 headers
  2. Backport of another 304 Not Modified fix from trunk (Etag mismatch on certain hosts would cause 200 OK and content to always be served, a waste of bandwidth)

Convenience & Misc.

  1. Deleting WP Pages no longer gives an “Are You Sure?” prompt
  2. After deleting a WP Page, you are properly redirected to the Edit Pages screen
  3. Sending an image at original size in IE no longer adds an incorrect “height” attribute

You can download the release candidate here. I have started testing 2.0.7 RC1 on live blogs.

will not be displayed