As many of you who happen to blog via WordPress are waking up to this, you may have noticed that WordPress 2.8.2 is now available for download/updating.
Yep, that’s right: version 2.8.2.
For those of you who have just completed your due diligence and your blog upgrades, this may be one of those “Gotcha!” moments that make you cringe, even if ever so slightly. As reported on the WordPress dev blog, this release addresses a cross-site scripting (XSS) vulnerability that may occur with comment author URLs, allowing unsanitized URLs to appear in the admin console.
Our recommendation for our blogging audience is, of course, to download WordPress 2.8.2, set it up in your testing environment and vet it through your test suite(s), prepare your CM machinery to handle the new version if it passes your tests, and deploy it to your production environment. If you haven’t incorporated scripted testing of URLs in the admin console, this represents an opportunity to add it and setup code for generating bogus URLs… 
{ 1 comment }
Many people have E-mailed and IM’ed me that they also perform separate plugin testing.
For those of you in this situation (and yes, DevPal and Javamancy ALSO do this!), please note that Akismet has been upgraded to 2.2.6 as well. Since Akismet is routinely shipped with the WordPress distributions, it is usually not a problem for some folks to use the included version. However, for completeness, some dev groups prefer to fetch the separate downloadable plugin distribution and just use that to overwrite any and all other copies, even the one included with the main WP distro.
Good luck, folks!
{ 2 trackbacks }