WordPress 3.6.1 fixes some minor bugs but also addresses some security vulnerabilities.
Here are the details, as provided by WordPress.org’s official announcement:
- Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem.
- Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
- Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.
If you are running an earlier version of WordPress, it is really important that you ensure your system is kept updated from now on.
With so many of the world’s websites relying upon the WordPress software, it is essential that webmaster keep their systems up to date. After all, if a hacker managed to infiltrate your blog and inject code, the attack could be passed onto your visitors.
Users of WordPress.com, who don’t manage their own website hosting, don’t need to worry about the new version of WordPress – as they will already be using the latest version.
By the way, grahamcluley.com also uses a managed WordPress service which – I am delighted to say – updated my installation of WordPress for me while I was tucked up in bed.
The guys at WordPress mentioned that they were grateful to Dave Cummo, Tom Van Goethem and Anakorn Kyavatanakij for their responsible disclosure of the vulnerabilities, which meant that a fixed version of WordPress was available to users at the time of the flaws’ announcement, rather than leaving millions of internet users potentially at risk.
We should all be grateful when security researchers act responsibly, for the greater good of the internet community, rather than trying to make a name for themselves by releasing vulnerability details publicly that could be exploited by malicious hackers.
You can either download WordPress 3.6.1 directly, or update your installation from your site’s admin area in the WordPress dashboard.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.