In association with heise online

25 January 2013, 16:57

WordPress 3.5.1 tightens security and stops HTML from disappearing

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Zoom Existing users can update their installation from the Dashboard ➤ Updates menu
The WordPress developers have announced a maintenance update to the popular open source blogging software. WordPress 3.5.1 fixes 37 bugs and addresses three security issues, including two cross-site scripting vulnerabilities. Users running WordPress on IIS might run into a problem that prevents the upgrade; the developers have prepared documentation to help users work around this problem.

Security issues addressed in the update include a server-side request forgery problem that allowed the exposure of information through pingbacks. According to the developers, this vulnerability could help attackers compromise an unpatched WordPress site. Cross-site scripting vulnerabilities were fixed in the external Plupload library and in the shortcode and post content handling.

Several bugs were also fixed with the release, this includes disappearing HTML elements in the editor as well as from scheduled posts, and minor workflow improvements in the media manager that was introduced with WordPress 3.5 in December. WordPress now suggests rewrite rules when the user changes the network it is installed in. The software will also recover from faulty JavaScript in themes that would otherwise prevent access to the administration area. A complete list of fixes is available in the change log.

WordPress 3.5.1 is available for download from the project's site. Alternatively, existing users can update automatically via DashboardUpdates in the WordPress admin interface. Source code for WordPress is licensed under the GPLv2 or later.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit