Saturday, January 26, 2013

WordPress 3.5.1 Security Update

WordPress 3.5.1 tightens security and stops HTML from disappearing

The WordPress developers have announced a maintenance update to the popular open source blogging software. WordPress 3.5.1 fixes 37 bugs and addresses three security issues, including two cross-site scripting vulnerabilities. Users running WordPress on IIS might run into a problem that prevents the upgrade; the developers have prepared documentation to help users work around this problem.

Security issues addressed in the update include a server-side request forgery problem that allowed the exposure of information through pingbacks. According to the developers, this vulnerability could help attackers compromise an unpatched WordPress site. Cross-site scripting vulnerabilities were fixed in the external Plupload library and in the shortcode and post content handling.

Several bugs were also fixed with the release, this includes disappearing HTML elements in the editor as well as from scheduled posts, and minor workflow improvements in the media manager that was introduced with WordPress 3.5 in December. WordPress now suggests rewrite rules when the user changes the network it is installed in. The software will also recover from faulty JavaScript in themes that would otherwise prevent access to the administration area. A complete list of fixes is available in the change log.


Post a Comment