During an internal security audit, we found a bug that allows an attacker to bypass a site’s access controls and publish posts. This vulnerability could be combined with other attacks to escalate access. This bug has existed since Jetpack 1.9, released in October 2012.
Fortunately, we have no evidence of this being used in the wild. However, now that this update is public, it’s just a matter of time before exploits occur. To avoid a breach, you should update your site as soon as possible.
This is a bad bug, and Jetpack is one of the most widely used plugins in the WordPress world. We have been working closely with the WordPress security team, which has pushed updates to every version of the plugin since 1.9 through core’s auto-update system. We have also coordinated with a number of hosts and network providers to install network-wide blocks to mitigate the impact of this vulnerability, but the only sure fix is updating the plugin.
WordPress 3.5.1 is now live and running wild on the interwebs. WordPress 3.5.1 is the first release after the major WordPress 3.5 and fixes a whopping 37 bugs and also addresses numerous security issues. A lot of bugs in the Media Library, WYSIWYG Editor, themes issues and general defects have been fixed.
Here are a list of fixed bugs:
Editor: Prevent certain HTML elements from being unexpectedly removed or modified in rare cases.
Media: Fix a collection of minor workflow and compatibility issues in the new media manager.
Networks: Suggest proper rewrite rules when creating a new network.
Prevent scheduled posts from being stripped of certain HTML, such as video embeds, when they are published.
Suppress some warnings that could occur when a plugin misused the database or user APIs.
WordPress 3.5.1 also addresses the following security issues:
A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team.
Two instances of cross-site scripting via shortcodes and post content.
A cross-site scripting vulnerability in the external library Plupload.
Since it fixes these security issues, we highly recommend upgrading to WordPress 3.5.1 as soon as possible. If you are hosting your WordPress website with NetON – then your site will be automatically upgraded in the next couple of days.
We have been building websites on WordPress since it came out. With over 5 years experience and over 200 websites, we can now create WordPress websites for small, medium, large and multi-national enterprises.
NetON is a top SEO Melbourne company based in both Melbourne and Sydney and we have over 10 years of experience working with clients in Australia, United States and internationally. Our Search Engine Optimisation methods employ the best white hat methods and processes to deliver successful results and higher rankings to our clients. You will start seeing results from as less as 2 weeks. We have a very flexible working model and can customise our solutions based on client needs.
We offer integration and support of the most popular Marketing Automation Services in Australia and Overseas. Our Quick start packs and templates will help you setup your campaigns more quickly and effectively.
Our team can help you generate more content and buzz and get more engagement from Google as well as Social Media Platforms such as Facebook, Twitter, Instagram, Tumblr and Pinterest.
We are located in both of Australian main hubs, Melbourne and Sydney. Please visit our contact us page for more details on how to reach out to us.