WordPress Release: 3.0.2

TL;DR

WordPress 3.0.2 is a maintenance and security release that addresses several bugs and security vulnerabilities in the core platform and Twenty Ten theme. This update fixes issues with user permissions, improves compatibility with Internet Explorer, enhances canonical URL handling, and removes a potentially exploitable pingback/trackback feature. The release also includes various improvements to the Twenty Ten theme, including better template organization and fixes for header image display issues.

Highlight of the Release

• Fixed security vulnerability by removing pingback/trackback blogroll whitelisting feature
• Improved user permission handling for WordPress administrators and multisite super admins
• Enhanced Twenty Ten theme with better template organization and fixes for various display issues
• Fixed Internet Explorer compatibility issues in the Twenty Ten theme
• Corrected canonical URL handling for permalinks with nested categories

Migration Guide

No specific migration steps are required for this maintenance release. WordPress 3.0.2 is a direct update from previous 3.0.x versions and does not introduce any breaking changes that would require special migration procedures.

Upgrade Recommendations

This update is highly recommended for all WordPress 3.0.x users due to the security fixes included. The release addresses several security vulnerabilities, particularly the removal of the potentially exploitable pingback/trackback blogroll whitelisting feature. Additionally, the fixes for user permissions and content type handling improve the overall security posture of your WordPress installation.

To upgrade:

1. Back up your WordPress files and database
2. Download WordPress 3.0.2 from the WordPress.org website
3. Deactivate plugins
4. Upload the new files
5. Run the WordPress update script by visiting /wp-admin/upgrade.php
6. Reactivate plugins

Alternatively, you can use the automatic update feature if your installation supports it.

Bug Fixes

Core Fixes

• Fixed user permission handling with improved checks in map_meta_cap() for super admin status
• Corrected the delete_user meta capability
• Fixed canonical redirection for permalinks containing %category% with nested categories and pagination (fixes #13471)
• Eliminated irrelevant error messages during plugin activation (fixes #15062)
• Improved multisite detection by checking for SUBDOMAIN_INSTALL in is_multisite() (fixes #14536)
• Fixed the UPLOADS constant definition (fixes #14840)
• Corrected content type generation for files requested with query strings (fixes #14450)
• Reverted to using "GPL" license description instead of specifically "GPLv2" (fixes #14685)

Twenty Ten Theme Fixes

• Fixed header image display by checking for its existence before showing it (fixes #14486)
• Corrected header positioning in Internet Explorer 9 (fixes #14883)
• Fixed IE6 compatibility by setting incompatible CSS rules in different selectors (fixes #14688)
• Improved image size handling (fixes #14303)
• Fixed long taglines that were hidden under the header image in IE7 and earlier (fixes #15113)
• Prevented widget select boxes from being cut off by the sidebar (fixes #15114)

New Features

WordPress 3.0.2 is primarily a maintenance and security release focused on bug fixes rather than new features. The Twenty Ten theme has been updated to version 1.1 with improved template organization through the introduction of loop-page.php, loop-single.php, and loop-attachment.php template parts.

Security Updates

Security Enhancements

• Removed the pingback/trackback blogroll whitelisting feature due to potential abuse vectors (fixes #13887)
• Improved SQL preparation and escaping in several areas of the codebase
• Enhanced user permission handling with fixes to map_meta_cap() and current_user_can_for_blog() for multisite super admins
• Fixed content type handling for files requested with query strings to prevent potential security issues

Performance Improvements

This release does not include any significant performance improvements. The focus was primarily on bug fixes, security enhancements, and theme improvements.

Impact Summary

WordPress 3.0.2 is a maintenance and security release that addresses several important issues in both the WordPress core and the Twenty Ten theme. The most significant impact comes from security improvements, particularly the removal of the pingback/trackback blogroll whitelisting feature that could be abused.

For administrators, the release improves user permission handling, especially in multisite environments. Developers will benefit from fixes to canonical URL handling, content type generation, and the UPLOADS constant definition. Content creators will experience fewer error messages during plugin activation, and site visitors will enjoy better theme compatibility across different browsers, especially Internet Explorer.

The Twenty Ten theme receives substantial improvements in this release, with better template organization through the introduction of template parts, fixed header image display, and improved widget handling in the sidebar. These changes enhance both the functionality and appearance of the default WordPress theme.

Overall, this release strengthens WordPress's security posture while addressing several usability and compatibility issues, making it an important update for all WordPress 3.0.x users.