WordPress Security–3.5.2 Security Update

Great to see a security update for WordPress 3.5.2

WordPress 3.5.2 Maintenance and Security Release. This release adds a number of security fixes including:

  • Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site.
  • Disallow contributors from improperly publishing posts, reported by Konstantin Kovshenin, or reassigning the post’s authorship, reported by Luke Bryan.
  • An update to the SWFUpload external library to fix cross-site scripting vulnerabilities. Reported by mala and Szymon Gruszecki. (Developers: More on SWFUpload here.)
  • Prevention of a denial of service attack, affecting sites using password-protected posts.
  • An update to an external TinyMCE library to fix a cross-site scripting vulnerability. Reported by Wan Ikram.
  • Multiple fixes for cross-site scripting. Reported by Andrea Santese and Rodrigo.
  • Avoid disclosing a full file path when a upload fails. Reported by Jakub Galczyk.

Additionally: Version 3.5.2 fixes seven security issues:

  • Server-Side Request Forgery (SSRF) via the HTTP API.
  • Privilege Escalation: Contributors can publish posts, and users can reassign authorship.
  • Cross-Site Scripting (XSS) in SWFUpload.
  • Denial of Service (DoS) via Post Password Cookies.
  • Content Spoofing via Flash Applet in TinyMCE Media Plugin.
  • Cross-Site Scripting (XSS) when Uploading Media.
  • Full Path Disclosure (FPD) during File Upload.

Additional security hardening includes:

  • Cross-Site Scripting (XSS) (Low Severity) when Editing Media. CVE-2013-2201.
  • Cross-Site Scripting (XSS) (Low Severity) when Installing/Updating Plugins/Themes. CVE-2013-2201.
  • XML External Entity Injection (XXE) via oEmbed. CVE-2013-2202.

All of our existing client installations will automatically be updated.

Related posts ...
Each major version of WordPress comes with tons of new features and updates. WordPress 5
WordPress 3.8 Parker is now released and live. This is a Visual Update and updates
WordPress 3.6 Oscar is now released and live. This is a semi-major update and comes
Wordpress 3.5 “Elvin” in honour of drummer Elivin Jones is now released and making its

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>