WordPress today released WordPress 3.6.1.
The new maintenance and security release fixes 13 bugs in version 3.6 and addresses three key security issues:
- Remote Code Execution: Unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution, has been blocked.
- Privilege Escalation: Users with an Author role have been blocked from being able to create posts “written by” another user with the aid of specially crafted requests.
- Link Injection/Open Redirect: Insufficient input validations that could result in users being redirected to another website has been blocked fixed.
WordPress has credited Tom Van Goethem, Anakorn Kyavatanakij, and Dave Cummo, a Northrup Grumman subcontractor for the US Centers for Disease Control and Prevention, for identifying the above three vulnerabilities respectively.
WordPress has also adjusted security restrictions around file uploads to mitigate the potential for cross-site scripting. The extensions .swf and .exe are no longer allowed by default, and .htm and .html are only allowed if the user has the ability to use unfiltered HTML.
A full log of the changes made for 3.6.1 can be found here.
List of files revised includes:
readme.html wp-admin/about.php wp-admin/nav-menus.php wp-admin/includes/post.php wp-admin/includes/update-core.php wp-admin/includes/template.php wp-admin/network/upgrade.php wp-admin/js/common.js wp-includes/pluggable.php wp-includes/comment-template.php wp-includes/post-template.php wp-includes/version.php wp-includes/theme.php wp-includes/functions.php wp-includes/ms-functions.php wp-includes/link-template.php wp-includes/class-http.php wp-includes/js/jquery/jquery.js wp-includes/js/tinymce/plugins/wordpress/editor_plugin.js wp-includes/js/tinymce/plugins/wordpress/editor_plugin_src.js wp-includes/js/tinymce/wp-tinymce.js.gz
WordPress has strongly recommended all users to update their sites immediately.
Users can either download WordPress 3.6.1 or update from the Dashboard → Updates menu in their site’s admin area.