• Back to all releases

Version 2.7 RC 2 of WordPress

Changes: This is a security release. It fixes a problem where an authenticated user (with a user login, not just a commenter) could read trashed posts by other authors. This problem only affected posts removed using the new Trash feature. Though this is only an issue for sites with untrusted registered accounts, all users are encouraged to upgrade.

Changes: This release addressed a few issues which appeared with certain host configurations. The main problem was that with certain versions of the Curl libraries, the wp-cron functionality could fail, affecting features such as scheduled posts and pings.

Changes: A few of this release are global undo and "trash", image editing (crop, rotate, scale, flip), post thumbnail support for themes, batch plugin update and compatibility checking, easy video embedding via the oEmbed standard, the use of rel=canonical for SEO, commentmeta for extending comments, improved API support for custom post types, extensible registration and user profiles, and many other new features, enhancements, and performance improvements.

Changes: This release fixes two security problems that could be exploited by registered, logged in users who have posting privileges. If you have untrusted authors on your blog, upgrading is recommended. The first problem was an XSS vulnerability in Press The second problem was an issue with sanitizing uploaded file names that could be exploited in certain Apache configurations.

Changes: A vulnerability was discovered in which a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset, and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying. This release, which fixes all known problems, is now available for download and is highly recommended.