WordPress 3.0.2 hardens security

WordPress 3.0.2 is available and is a mandatory security update for all previous WordPress versions.

This maintenance release fixes a moderate security issue that could allow a malicious Author-level user to gain further access to the site, addresses a handful of bugs, and provides some additional security enhancements.

Other bugs and security hardening:

  • Remove pingback/trackback blogroll whitelisting feature as it can easily be abused.
  • Fix canonical redirection for permalinks containing %category% with nested categories and paging.
  • Fix occasional irrelevant error messages on plugin activation.
  • Minor XSS fixes in request_filesystem_credentials() and when deleting a plugin.
  • Clarify the license in the readme.
  • Multisite: Fix the delete_user meta capability.
  • Multisite: Force current_user_can_for_blog() to run map_meta_cap() even for super admins.
  • Multisite: Fix ms-files.php content type headers when requesting a URL with a query string.
  • Multisite: Fix the usage of the SUBDOMAIN_INSTALL constant for upgraded WordPress MU installs.

Download 3.0.2 or update automatically from the Dashboard > Updates menu in your site’s admin area. You should update immediately even if you do not have untrusted users.