WordPress 2.0.4, the latest stable release in our Duke series, is available for immediate download. This release contains several important security fixes, so it’s highly recommended for all users. We’ve also rolled in a number of bug fixes (over 50!), so it’s a pretty solid release across the board.
I can’t find any documentation stating the user registration vulnerability has been fixed, but Kelson is reporting it has been taken care of in WordPress 2.0.4. I believe this WordPress release was pushed out quickly due to some information revealed by Dr. Dave earlier in the week.
I’m still not 100% sure that the problems pointed out by Dr. Dave have been fixed. Can anyone confirm that it has been? For those interested, here’s a list of bugs that have been closed as of the 2.0.4 release [via Dougal Campbell].
UPDATE: WordPress 2.0.4 does indeed fix the user registration vulnerability. Dr. Dave has done some testing of his own and seems pretty sure this vuln is fixed. It’s still probably a good idea to disable user registration just to be safe:
As for the “users can register” option: enabling it back should be OK.
I personally will leave it off on my blogs, as I just don’t feel like entrusting strangers with access to wp-admin in the current state of the code (I insist that the aforementioned exploit has been fixed now, I am only being paranoid here).