The WordPress blog lists the following security enhancements and fixes in WordPress 3.1.3.

• Various security hardening
• Taxonomy query hardening
• Prevent sniffing out user names of non-authors by using canonical redirects.
• Media security fixes
• Improves file upload security on hosts with dangerous security settings.
• Cleans up old WordPress import files if the import does not finish.
• Introduce “clickjacking” protection in modern browsers on admin and login pages.

Interested users can consult WordPress trac for detailed information on all fixes that have been applied to this release.

The developers have added quite some security hardening to the new release as you can see from the list of changes above. It is still recommended to update WordPress installations as soon as possible to improve security and close the security and privacy vulnerabilities fixed in the release.

Self-hosted WordPress blogs are already picking up on the update and notifying administrators in the dashboard about the update.

It is as usual possible to apply and install the WordPress update right from the admin dashboard, or by downloading the new release from WordPress to install it manually by uploading file to the server.

The WordPress Codex lists the file changes in this new release.

The update is currently not announced on the frontpage of the admin interface which means that WordPress admins need to click on Updates to see the update options.

It is as usually possible to install the update right away by downloading it directly to the server running the blog. The script handles the download, unpacking and installation of the new version automatically.

Users who want to test the release first can also download it instead to do just that.

The vulnerability reads:

Fix XSS vulnerabilities in the KSES library: Don’t be case sensitive to attribute names. Handle padded entities when checking for bad protocols. Normalize entities before checking for bad protocols in esc_url()

WordPress rates the vulnerability as critical which means that webmasters should update their blogs as soon as possible to protect it from possible exploits of the issue.

WordPress is also available directly at the official website.

The vulnerability exploits a new feature that has been introduced in WordPress 2.9: the trash. The trash is a basic trashcan where deleted posts are placed so that they can be restored if they have been deleted by accident. This trash can be disabled but is activated by default on all WordPress 2.9 and later blogs.

Every logged in user, even those with the subscriber role, can access all deleted articles and posts that have been moved to the trash. This might not affect the majority of blogs as there need to be at least two registered users and at least one user that is not trusted by the administrator of the site.

In theory though anyone with a user account at the website can access the trashed articles regardless of which user wrote them.

The WordPress 2.9.2 patch fixes this exploit so that this is no longer possible. WordPress 2.9.2. can be downloaded from the official WordPress website. Users who have configured their blog for automatic updates can also update the blog from within the blog right away.

According to Mashable there are two clues that your blog has been successfully attacked by the computer worm:

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account.

Webmasters are asked to update their blogs to the latest version of WordPress immediately. Those that have been hit by the computer worm should backup all files, export their settings, and do a clean install of WordPress. More help is offered at the WordPress website.

Rant:

It’s Sunday and it is time for a little rant. Webmasters who do not update their blogs as soon as a new version of their blogging software is released are acting stupid. A WordPress update usually takes less than ten minutes and ensures that the blog and server is protected from attacks like these. Webmasters who do not have the time to perform these updates should consider switching to a hosted blogging platform like that at Blogger or WordPress.com. The automatic update option that has been introduced in recent WordPress versions makes it even easier to update the blog as soon as a new version is released. Webmasters who cannot do this should not operate a self hosted blog, period.

A fix was released with the announcement of the vulnerability which consisted of one line of code that had to be edited in the wp-login.php file of the WordPress installation. WordPress installations with the fix are safe from these kinds of attacks.

The WordPress team has nevertheless released WordPress 2.8.4. as a response to the security vulnerability. The new release patches this vulnerability and is a recommended update for every WordPress installation. The WordPress developers are providing additional information about the vulnerability in the announcement post as well.

It was only possible to reset a password of the first user account without a key according to this post which usually is the admin account of the WordPress installation. WordPress is not showing the new version in its interface. This may change in the next hours.

WordPress admins should head over to the WordPress website to download the new version as of now.

A new post appeared on the WordPress discussion list today revealing more details about the process. Everyone is apparently able to reset a WordPress password if the email address of the WordPress user is known. All that needs to be done is to point the web browser at http://www.domain.com/wp-login.php?action=lostpassword to reset the password. The email address of the account holder has to be supplied in the form. WordPress usually will send a confirmation email first asking the email account owner if the password should be reset. The vulnerability manipulates the query to skip this step.

It is not possible to exploit this vulnerability further which means attackers cannot get access to the user account. It can however be theoretically be used to reset the password regularly to lock the user or admin out of the WordPress blog.

A temporary fix for the remote admin password reset vulnerability was posted. WordPress administrators need to change one line of code in the wp-login.php file of the WordPress installation to protect their blog from the attack.

Replace

if ( empty( $key ) )

With

if ( empty( $key ) || is_array( $key ) )

It is advised to apply the temporary fix as soon as possible to WordPress installations.