The open-source WordPress blogging platform is being updated to version 3.6.1 to fix a trio of security vulnerabilities. WordPress is a widely deployed platform for blogging and is also suitable for general content management system usage. Currently there are more than 70 million global sites running some version of WordPress.
WordPress is available as both a hosted platform by way of the WordPress.com Website, as well as an open-source project available via WordPress.org for those who want to self-host the platform. The new WordPress 3.6.1 update is for those who self-host and will require users to update immediately to limit the risk of exploitation. Users can update directly from within their own WordPress installations to get the latest version.
Among the three security flaws fixed in WordPress 3.6.1 is a PHP usage issue that could have potentially enabled arbitrary remote code execution by an attacker. WordPress uses PHP on the server side in order to run.
Another key fix is for a privilege escalation issue. According to the WordPress 3.6.1 release announcement, the fix will “prevent a user with an Author role, using a specially crafted request, from being able to create a post ‘written by’ another user.”
The open-source blogging platform is also getting a fix for an insufficient input validation vulnerability. That vulnerability could potentially enable an attacker to inject a link into a site and then redirect users to another Website.
Going beyond just fixing immediate security flaws, WordPress 3.6.1 is also taking a proactive approach to harden the platform against security risks. One of the additional security hardening efforts in WordPress 3.6.1 is an update to security restrictions around file uploads to mitigate the potential for cross-site scripting (XSS). An XSS flaw can potentially occur when code is injected into a site, giving an attacker some form of control or unauthorized access.
“The extensions .swf and .exe are no longer allowed by default, and .htm and .html are only allowed if the user has the ability to use unfiltered HTML,” the WordPress 3.6.1 release notes state.
Files with an .swf extension are Flash media files, while .exe denotes an executable program file.
The new WordPress update isn’t just about security fixes either. Some 13 additional bug and stability fixes are part of the update.
WordPress 3.6.1 is the first incremental update to the WordPress 3.6 platform that was first released on Aug. 1 and has already been downloaded over 7.4 million times. Among the key features that the 3.6 version introduced are improved post auto-saving capabilities and an enhanced revision browser.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.