The open-source WordPress blogging platform has been updated to version 3.6.1, in order to fix a trio of security vulnerabilities.
WordPress is a widely deployed platform for blogging and is also suitable for general content management system usage. Currently there are more than 70 million global sites running some version of WordPress.
WordPress is available as both a hosted platform by way of the WordPress.com Website, as well as an open-source project available via WordPress.org for those who want to self-host the platform. The new WordPress 3.6.1 update is for those who self-host and will require users to update immediately to limit the risk of exploitation. Users can update directly from within their own WordPress installations to get the latest version.
Another key fix is for a privilege escalation issue. According to the WordPress 3.6.1 release announcement, the fix will “prevent a user with an Author role, using a specially crafted request, from being able to create a post ‘written by’ another user.”
The open-source blogging platform is also getting a fix for an insufficient input validation vulnerability. That vulnerability could potentially enable an attacker to inject a link into a site and then redirect users to another Website.
Going beyond just fixing immediate security flaws, WordPress 3.6.1 is also taking a proactive approach to harden the platform against security risks. One of the additional security hardening efforts in WordPress 3.6.1 is an update to security restrictions around file uploads to mitigate the potential for cross-site scripting (XSS). An XSS flaw can potentially occur when code is injected into a site, giving an attacker some form of control or unauthorised access.
“The extensions .swf and .exe are no longer allowed by default, and .htm and .html are only allowed if the user has the ability to use unfiltered HTML,” the WordPress 3.6.1 release notes state.
Files with an .swf extension are Flash media files, while .exe denotes an executable program file.
The new WordPress update isn’t just about security fixes either. Some 13 additional bug and stability fixes are part of the update.
WordPress 3.6.1 is the first incremental update to the WordPress 3.6 platform that was first released on 1 August and has already been downloaded over 7.4 million times. Among the key features that the 3.6 version introduced are improved post auto-saving capabilities and an enhanced revision browser.
What do you know about Internet security? Find out with our quiz!
Originally published on eWeek.
Thursday outage of Three UK network impacts thousands of people, with operator confirming some 999…
British competition watchdog secures undertaking from Google to tackle fake reviews, as Amazon probe continues
After earlier revoking Biden's AI safety executive order, President Trump signs new executive order to…
OpenAI launches AI agent called 'Operator' to automatically fill out forms, make restaurant reservations, book…
Bill passed to give Pakistani government sweeping controls on social media, but critics argue it…
After Meta had warned that India's data sharing ban could collapse WhatsApp's business model, tribunal…