WordPress 2.6.5 is now available for download. I know some of you guys aren’t too keen on going through another security upgrade and would want to hold off upgrading until 2.7 gets released. The Automattic team, however, is recommending that everyone upgrades immediately. But According to the update page,
The security issue is an XSS exploit discovered by Jeremias Reith that fortunately only affects IP-based virtual servers running on Apache 2.x. If you are interested only in the security fix, copy
wp-includes/version.phpfrom the 2.6.5 release package.
2.6.5 contains three other small fixes in addition to the XSS fix. The first prevents accidentally saving post meta information to a revision. The second prevents XML-RPC from fetching incorrect post types. The third adds some user ID sanitization during bulk delete requests. For a list of changed files, consult the full changeset between 2.6.3 and 2.6.5.
So there you have it guys. Don’t hold off upgrading because you want WordPress 2.7 to be your next version of WordPress. You can update to 2.6.5 by just replacing two files, wp-includes/feed.php and wp-includes/version.php and upload (overwrite existing files) them to your wp-includes folder.They are also skipping 2.6.4 to prevent confusion with a fake version that had fooled some people a few weeks ago.