ID: IRCNE2012041479
Date: 2012-04-24
According to "zdnet", WordPress has announced a new security update for all previous versions of its free and open source blogging tool. The organization wouldn’t reveal how many vulnerabilities it fixed, but it did note that they were in double digits, and it did elaborate on some of the changes in Wordpress 3.3.2. You can download the new version from wordpress.org/download.
Three external libraries included in WordPress received security updates:
· Plupload (version 1.5.4), which WordPress uses for uploading media. This one was disclosed by Neal Poole and Nathan Partlan.
· SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins. This one was also disclosed by Neal Poole and Nathan Partlan.
· SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes. This one was disclosed by Szymon Gruszecki.
WordPress 3.3.2 also addresses:
· Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances. This one was disclosed by Jon Cave of the WordPress core security team, and Adam Backstrom.
· Cross-site scripting vulnerability when making URLs clickable. This one was also disclosed by Jon Cave.
· Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs. This one was disclosed by Mauro Gentile.
For all the details, check out the full WordPress change log. If you have discovered a security vulnerability in WordPress, you can responsibility disclose it via Automattic’s Security webpage.
WordPress is a popular attack vector for cyber criminals. Update now, if you haven’t already.
Related Links:
Infected WordPress blogs blamed for Mac Flashback Trojan
Compromised WordPress sites serving client-side exploits and malware
- 3