WordPress Update Fixes Three Security Vulnerabilities

The open-source WordPress blogging platform has been updated to version 3.6.1, in order to fix a trio of security vulnerabilities.

WordPress is a widely deployed platform for blogging and is also suitable for general content management system usage. Currently there are more than 70 million global sites running some version of WordPress.

Immediate Update

WordPress is available as both a hosted platform by way of the WordPress.com Website, as well as an open-source project available via WordPress.org for those who want to self-host the platform. The new WordPress 3.6.1 update is for those who self-host and will require users to update immediately to limit the risk of exploitation. Users can update directly from within their own WordPress installations to get the latest version.

Among the three security flaws fixed in WordPress 3.6.1 is a PHP usage issue that could have potentially enabled arbitrary remote code execution by an attacker. WordPress uses PHP on the server side in order to run.

Another key fix is for a privilege escalation issue. According to the WordPress 3.6.1 release announcement, the fix will “prevent a user with an Author role, using a specially crafted request, from being able to create a post ‘written by’ another user.”

The open-source blogging platform is also getting a fix for an insufficient input validation vulnerability. That vulnerability could potentially enable an attacker to inject a link into a site and then redirect users to another Website.

Tightened Security

Going beyond just fixing immediate security flaws, WordPress 3.6.1 is also taking a proactive approach to harden the platform against security risks. One of the additional security hardening efforts in WordPress 3.6.1 is an update to security restrictions around file uploads to mitigate the potential for cross-site scripting (XSS). An XSS flaw can potentially occur when code is injected into a site, giving an attacker some form of control or unauthorised access.

“The extensions .swf and .exe are no longer allowed by default, and .htm and .html are only allowed if the user has the ability to use unfiltered HTML,” the WordPress 3.6.1 release notes state.

Files with an .swf extension are Flash media files, while .exe denotes an executable program file.

The new WordPress update isn’t just about security fixes either. Some 13 additional bug and stability fixes are part of the update.

WordPress 3.6.1 is the first incremental update to the WordPress 3.6 platform that was first released on 1 August and has already been downloaded over 7.4 million times. Among the key features that the 3.6 version introduced are improved post auto-saving capabilities and an enhanced revision browser.

What do you know about Internet security? Find out with our quiz!

Originally published on eWeek.

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Three UK Investigates After Outage Impacted Some 999 Calls

Thursday outage of Three UK network impacts thousands of people, with operator confirming some 999…

1 day ago

CMA Secures Google Commitment To Tackle Fake Reviews

British competition watchdog secures undertaking from Google to tackle fake reviews, as Amazon probe continues

1 day ago

Trump Signs AI ‘Free From Idealogical Bias’ Executive Order

After earlier revoking Biden's AI safety executive order, President Trump signs new executive order to…

1 day ago

OpenAI’s ‘Operator’ Agent Automates Online Tasks

OpenAI launches AI agent called 'Operator' to automatically fill out forms, make restaurant reservations, book…

2 days ago

Pakistan’s Parliament Passes Bill For Strict Control On Social Media

Bill passed to give Pakistani government sweeping controls on social media, but critics argue it…

2 days ago

Indian Tribunal Suspends Meta’s Data Sharing Ban

After Meta had warned that India's data sharing ban could collapse WhatsApp's business model, tribunal…

2 days ago