WordPress has announced a new security update for all previous versions of its free and open source blogging tool. The organization wouldn't reveal how many vulnerabilities it fixed, but it did note that they were in double digits, and it did elaborate on some of the changes in Wordpress 3.3.2. You can download the new version from wordpress.org/download or from your Dashboard (Updates menu in your site's admin area).
Three external libraries included in WordPress received security updates:
- Plupload (version 1.5.4), which WordPress uses for uploading media. This one was disclosed by Neal Poole and Nathan Partlan.
- SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins. This one was also disclosed by Neal Poole and Nathan Partlan.
- SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes. This one was disclosed by Szymon Gruszecki.
WordPress 3.3.2 also addresses:
- Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances. This one was disclosed by Jon Cave of the WordPress core security team, and Adam Backstrom.
- Cross-site scripting vulnerability when making URLs clickable. This one was also disclosed by Jon Cave.
- Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs. This one was disclosed by Mauro Gentile.
WordPress is a popular attack vector for cyber criminals, as you can see in the links below. Update now, if you haven't already.
- Compromised WordPress sites serving client-side exploits and malware
- Hackers attack zero-day flaw in WordPress themes
- WordPress blogs hacked, redirecting to malware
- Password-reset flaw haunts WordPress admins
- Fake WordPress site distributing backdoored release
- WordPress shuts door on new PHP attack vector