Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.

We fixed this problem last night and have been testing the fixes and looking for other problems since then. Version 2.8.4 which fixes all known problems is now available for download and is highly recommended for all users of WordPress.

大概意思是，昨天检查出一个漏洞，攻击者可以通过一个特定的网址绕过安全检查，验证用户并且重设密码。结果会导致数据库中第一个账户（通常是管理员帐户）的密码被重置，并且一个新的密码会被电邮至帐户所有者。这并不允许远程访问，不过也是很讨厌的。昨晚我们已经修复了这个问题，并且不断测试其他可能会出现的情况。现在提供的WordPress2.8.4已经修复了所有已知的问题，强烈建议所有WordPress用户更新。

Unfortunately, I missed some places when fixing the privilege escalation issues for 2.8.1.  Luckily, the entire WordPress community has our backs.  Several folks in the community dug deeper and discovered areas that were overlooked.  With their help, the remaining issues are fixed in 2.8.3.  Since this is a security release, upgrading is highly recommended.  Download 2.8.3, or upgrade automatically from your admin.

也就是修复了个权限升级的问题吧，这是作者在2.8.1中遗漏的，既然是安全更新，建议大家实时跟进。

WordPress 2.8.2 fixes an XSS vulnerability. Comment author URLs were not fully sanitized when displayed in the admin. This could be exploited to redirect you away from the admin to another site.  Download 2.8.2 or automatically upgrade from the Tools->Upgrade page of your blog’s admin.

WordPress修补了一个XSS漏洞，评论作者的网址如果没有经过完全审查便显示在管理页面时，很可能让你从管理页面跳转到另外的网址。虽然没有遇到过这样的情况，看了下大家，基本上都升级了，所以~还是建议没升级的去下载或者是自动升级吧！（当然是选自动啦，多方便，hoho）

WordPress 2.8.1 fixes many bugs and tightens security for plugin administration pages. Core Security Technologies notified us that admin pages added by certain plugins could be viewed by unprivileged users, resulting in information being leaked. Not all plugins are vulnerable to this problem, but we advise upgrading to 2.8.1 to be safe

这是官方的升级说明，大概翻译过来就是：

WordPress的2.8.1修正了许多bug，加强了插件管理页面的安全性。Core Security Technologies通知官方，管理页面添加某些插件可以被认为是无特权的用户而导致信息泄漏。虽然并不是所有的插件都会遇到这个问题，但建议升级到2.8.1来保证安全。

官方都这么建议了，所以~大家还是与时俱进吧~hoho

呆了数秒后提示我升级成功了~ 这期间我一直张大嘴巴看着..囧（没想到自动升级这么方便）

印象中我只修改了主题文件，所以如果你对WP文件修改比较多的话，建议还是暂时别升，或者备份好你修改过的文件后再升级..

猛点我去官方看更新日志

WordPress 2.6.5 修正了一个可能会引发跨站攻击的 Bug。幸运的是，这个Bug 只影响运行 Apache 2.x 的基于 IP 的虚拟主机。
除此之外，另有以下三处改进：

• 防止日志元信息意外地写入到修订版本之中
• 防止 XML-RPC 获取错误的日志类型
• 在批量删除前对用户 ID 进行检查过滤

WordPress 2.6.4 已经被跳过。语言包无变化，可沿用 WordPress 2.6.2 的语言包。

• WordPress2.6.5完整压缩包
• WordPress 2.6.3 到 2.6.5 的升级补丁
• WordPress 2.6.5 语言包

下载后解压缩，上传覆盖旧文件，OK~

如果是从2.6.2升级的话，只需要下载升级包后上传覆盖即可，升级包内含有三个文件：

wordpresswp-includes目录下的class-snoopy.php、version.php，wordpresswp-adminincludes目录下的media.php

顺便期待下WordPress2.7早日发布~

WordPress 中文团队也已经根据官方的压缩包制作出了简体中文版。

本次更新，主要是修正了一些 Bug，并且排除了多处安全隐患。所以，如果您使用的是 WordPress 2.6.1 或更老的版本，强烈建议您进行升级。

下载覆盖上传完毕，居然不需要运行upgrade.php..哈…