Bloggers using WordPress told to update their software immediately

WordPressA brand new version of the incredibly popular WordPress blogging platform has been released, and webmasters are being urged to update their systems "immediately" because it fixes a number of security issues.

WordPress 3.6.1 fixes some minor bugs but also addresses some security vulnerabilities.

Here are the details, as provided by WordPress.org's official announcement:

  • Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem.
  • Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
  • Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.

If you are running an earlier version of WordPress, it is really important that you ensure your system is kept updated from now on.

With so many of the world's websites relying upon the WordPress software, it is essential that webmaster keep their systems up to date. After all, if a hacker managed to infiltrate your blog and inject code, the attack could be passed onto your visitors.

Users of WordPress.com, who don't manage their own website hosting, don't need to worry about the new version of WordPress - as they will already be using the latest version.

By the way, grahamcluley.com also uses a managed WordPress service which - I am delighted to say - updated my installation of WordPress for me while I was tucked up in bed.

The guys at WordPress mentioned that they were grateful to Dave Cummo, Tom Van Goethem and Anakorn Kyavatanakij for their responsible disclosure of the vulnerabilities, which meant that a fixed version of WordPress was available to users at the time of the flaws' announcement, rather than leaving millions of internet users potentially at risk.

We should all be grateful when security researchers act responsibly, for the greater good of the internet community, rather than trying to make a name for themselves by releasing vulnerability details publicly that could be exploited by malicious hackers.

More details of the flaws fixed by WordPress 3.6.1 can be found in the official announcement on wordpress.org, and in a blog post from Sucuri.

You can either download WordPress 3.6.1 directly, or update your installation from your site's admin area in the WordPress dashboard.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

No comments yet.

Leave a Reply