Bloggers using WordPress told to update their software immediately

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

WordPressA brand new version of the incredibly popular WordPress blogging platform has been released, and webmasters are being urged to update their systems “immediately” because it fixes a number of security issues.

WordPress 3.6.1 fixes some minor bugs but also addresses some security vulnerabilities.

Here are the details, as provided by WordPress.org’s official announcement:

  • Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem.
  • Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
  • Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.

If you are running an earlier version of WordPress, it is really important that you ensure your system is kept updated from now on.

Sign up to our free newsletter.
Security news, advice, and tips.

With so many of the world’s websites relying upon the WordPress software, it is essential that webmaster keep their systems up to date. After all, if a hacker managed to infiltrate your blog and inject code, the attack could be passed onto your visitors.

Users of WordPress.com, who don’t manage their own website hosting, don’t need to worry about the new version of WordPress – as they will already be using the latest version.

By the way, grahamcluley.com also uses a managed WordPress service which – I am delighted to say – updated my installation of WordPress for me while I was tucked up in bed.

The guys at WordPress mentioned that they were grateful to Dave Cummo, Tom Van Goethem and Anakorn Kyavatanakij for their responsible disclosure of the vulnerabilities, which meant that a fixed version of WordPress was available to users at the time of the flaws’ announcement, rather than leaving millions of internet users potentially at risk.

We should all be grateful when security researchers act responsibly, for the greater good of the internet community, rather than trying to make a name for themselves by releasing vulnerability details publicly that could be exploited by malicious hackers.

More details of the flaws fixed by WordPress 3.6.1 can be found in the official announcement on wordpress.org, and in a blog post from Sucuri.

You can either download WordPress 3.6.1 directly, or update your installation from your site’s admin area in the WordPress dashboard.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.