Boy – this sure is starting to sound like a broken record. WordPress 22.214.171.124 has now been released to fix a security vulnerability.
According to the developers:
It has come to our attention that under certain circumstances there is a security vulnerability in WordPress that may be triggered if you’re running the default template. We were able to respond very quickly (under 40 minutes) and update the download to 126.96.36.199. You can upgrade by overwriting your old 1.5 files or if you would like to apply the fix manually it is relatively simple:
- Open the
wp-includes/template-functions-category.phpfile in a text editor like Wordpad.
- Go to around line 103 where it says
- Create a new line after that and paste in
$cat_ID = (int) $cat_ID;
One note, even if the vulnerability was present in your blog, you would still be safe if your host ran
mod_securityon their servers. It is an Apache module which can provide very high-level protection against everything like the vulnerability above to comment spam. We will be updating the hosting page shortly to reflect which hosts there support
So, if I understand what they’re saying correctly, the vulnerability only affects users who are running the default template…? Nonetheless, I’d go ahead and make the upgrade (or just do the manual fix) – never want to chance having a security hole. Oy.