Um … meh … great.
WordPress 2.6.5 has been released, which is a security upgrade.
I did not expect this at all as WordPress 2.7 is supposed to be released very soon.
And what is in this security release? Well, there is one security fix and three bug fixes.
The security issue is an XSS exploit discovered by Jeremias Reith that fortunately only affects IP-based virtual servers running on Apache 2.x. If you are interested only in the security fix, copy wp-includes/feed.php and wp-includes/version.php from the 2.6.5 release package.
2.6.5 contains three other small fixes in addition to the XSS fix. The first prevents accidentally saving post meta information to a revision. The second prevents XML-RPC from fetching incorrect post types. The third adds some user ID sanitization during bulk delete requests. For a list of changed files, consult the full changeset between 2.6.3 and 2.6.5.
Got that? Good. Me neither.
Now what I think it the most important part of this is where is 2.6.4?
Well, a fake WordPress site released version 2.6.4 that contained code that opens up the entire WordPress installation. There is no version 2.6.4. If you are running it, your WordPress was hacked. Instructions for clearing this up are available at Viper007Bond.
As always, I recommend upgrading to 2.6.5. Enjoy! I know how you all love the upgrades.
***Update: This release can be updated with 5 files rather than having to upgrade the entire installation.
photo credit: Heraklit