Bloggers who rely on WordPress would be well advised to take a break from seasonal festivities in order to plug a serious security flaw in the software.

WordPress 3.0.4 tackles a serious vulnerability which, left unfixed, creates a handy mechanism for malicious hackers to break into installations of the widely used blogging software. Specifically the vulnerability stems from flaws in the HTML sanitation library used by WordPress.

In the past vulnerable installations of WordPress have facilitated the spread or worms. The flaw might also lend itself towards site compromise or blog spam.

Even though attacks against the vulnerability are yet to appear sys admins would still be well advised to apply the update, described as critical by WordPress' developers. ®

Related stories

• Zero day bug threatens many WordPress sites (2 August 2011)
• Malicious software downloads invade WordPress (22 June 2011)
• WordPress.com hack exposes confidential code (13 April 2011)
• Wordpress traces 2nd DDoS assault to China (7 March 2011)
• WordPress swiss cheese vuln situation sorted (2 December 2010)
• Web service automates WordPress password cracking (30 November 2009)
• Worm wiggles through weary WordPress (7 September 2009)