WordPress 3.3.2 is out
Three external libraries included in WordPress received security updates:
- Plupload (version 1.5.4), which WordPress uses for uploading media. This one was disclosed by Neal Poole and Nathan Partlan.
- SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins. This one was also disclosed by Neal Poole and Nathan Partlan.
- SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes. This one was disclosed by Szymon Gruszecki.
WordPress 3.3.2 also addresses:
- Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances. This one was disclosed by Jon Cave of the WordPress core security team, and Adam Backstrom.
- Cross-site scripting vulnerability when making URLs clickable. This one was also disclosed by Jon Cave.
- Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs. This one was disclosed by Mauro Gentile.
For all the details, check out the full WordPress change log. If you have discovered a security vulnerability in WordPress, you can responsibility disclose it via Automattic's Security webpage.
WordPress is a popular attack vector for cyber criminals, as you can see in the links below. Update now, if you haven't already.
See also:
- Compromised WordPress sites serving client-side exploits and malware
- Hackers attack zero-day flaw in WordPress themes
- WordPress blogs hacked, redirecting to malware
- Password-reset flaw haunts WordPress admins
- Fake WordPress site distributing backdoored release
- WordPress shuts door on new PHP attack vector