Bloggers using WordPress told to update their software immediately

Graham Cluley

WordPressA brand new version of the incredibly popular WordPress blogging platform has been released, and webmasters are being urged to update their systems “immediately” because it fixes a number of security issues.

WordPress 3.6.1 fixes some minor bugs but also addresses some security vulnerabilities.

Here are the details, as provided by WordPress.org’s official announcement:

  • Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem.
  • Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
  • Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.

If you are running an earlier version of WordPress, it is really important that you ensure your system is kept updated from now on.

With so many of the world’s websites relying upon the WordPress software, it is essential that webmaster keep their systems up to date. After all, if a hacker managed to infiltrate your blog and inject code, the attack could be passed onto your visitors.

Users of WordPress.com, who don’t manage their own website hosting, don’t need to worry about the new version of WordPress – as they will already be using the latest version.

By the way, grahamcluley.com also uses a managed WordPress service which – I am delighted to say – updated my installation of WordPress for me while I was tucked up in bed.

The guys at WordPress mentioned that they were grateful to Dave Cummo, Tom Van Goethem and Anakorn Kyavatanakij for their responsible disclosure of the vulnerabilities, which meant that a fixed version of WordPress was available to users at the time of the flaws’ announcement, rather than leaving millions of internet users potentially at risk.

We should all be grateful when security researchers act responsibly, for the greater good of the internet community, rather than trying to make a name for themselves by releasing vulnerability details publicly that could be exploited by malicious hackers.

More details of the flaws fixed by WordPress 3.6.1 can be found in the official announcement on wordpress.org, and in a blog post from Sucuri.

You can either download WordPress 3.6.1 directly, or update your installation from your site’s admin area in the WordPress dashboard.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.
Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES