WordPress 3.4 update closes important security hole

The WordPress developers have released version 3.4.1 of their popular open source publishing platform, fixing a number of bugs and closing security holes, one of which is rated as important. WordPress 3.4, which has already been downloaded 3 million times since being released two weeks ago, contains a important privilege escalation flaw that accidentally allowed all administrators and editors on multi-site installations to use unfiltered_html. This could have been exploited by users for cross-site scripting (XSS) attacks by, for example, publishing posts containing malicious code.

The update also fixes an information disclosure vulnerability which could have allowed some users to bypass certain security restrictions in order to view the contents of posts that they should not be able to see, such as draft and private posts. WordPress 3.4.1 further improves security by adding additional protections against cross-site request forgery (CSRF) attacks in the customiser, and deprecating the wp_explain_nonce() function as it could reveal unnecessary information. Additionally, a child theme can now only be activated along with its intended parent theme.

Changes unrelated to security include fixes for problems with category permalink structures and an issue that resulted in a theme's page template not being detected. WordPress now better handles plugins and themes that load JavaScript incorrectly, and improves compatibility with servers running certain versions of PHP. Early support for uploading images on iOS 6 devices has also been added.

A full list of fixes can be found in the WordPress Trac and on the Version 3.4.1 Codex page. WordPress 3.4.1 is available to download from the project's site; existing users can upgrade using the built-in update functionality. Binaries and source code are licensed under the GPLv2 or later.

See also:

• WordPress 3.4 "Green" has new theme customiser, a report from The H.

(crve)