On December 29th 2010, WordPress released version 3.0.4. This minor update contains a critical security patch that addresses a recently discovered exploit for WordPress. Here is the official note from WordPress.org:
On December 29, 2010, WordPress 3.0.4 was released to the public. This is a critical security update for all previous WordPress versions.
Fixes XSS vulnerabilities in the KSES library: Don’t be case sensitive to attribute names. Handle padded entities when checking for bad protocols. Normalize entities before checking for bad protocols in esc_url().
It is highly recommended that you update your WordPress installation immediately.
