An urgent wordpress security release is out and its time to upgrade to WordPress 2.3.3 again. This time its a flaw in XML-RPC implementation that could let people exploit your blog in malicious ways.
The WordPress team announced that they have found a flaw in XML-RPC implementation such that a specially crafted request would allow any valid user to edit posts of any other user on that blog. Now that is really scary.
WordPress 2.3.3 also fixed a few minor bugs. They say if you are interested only in the security fix, download wordpress 2.3.3. and after extracting the package, find the xmlrpc.php file in the root directory and copy it over your existing xmlrpc.php. That’s the fastest way to fix the security problem without a full wordpress installation.
They also point to a vulnerability in the WP-Forum plugin that is being actively exploited and if you are using this plugin, remove it until an update is available.
Update – Once you only update xmlrpc.php, the wordpress alert keeps on bothering you repeatedly.
So I went around finding files which were updated since the last release. You can simply replace the changed files instead of a full install and stop the message.
xmlrpc.php
wp-admin/install-helper.php
wp-includes/version.php
wp-includes/gettext.php
wp-includes/pluggable.php