WordPress 3.6.1 Maintenance and Security Release

WordPress team has released WordPress 3.6.1 which is a Maintenance and Security Release

WordPress Update

WordPress 3.6.1 is also a security release for all previous WordPress versions and it is strongly recommend you update your sites.

WordPress has been updated to 3.6.1 in Softaculous. You can update your installation with just one click. Here is the guide :

Update WordPress

The WordPress security team resolved three security issues, and this release also contains some additional security hardening.

The security fixes include :

  • Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution.
  • Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user.
  • Fix insufficient input validation that could result in redirecting or leading a user to another website.

The additional security hardening include:

  • Updated security restrictions around file uploads to mitigate the potential for cross-site scripting. The extensions .swf and .exe are no longer allowed by default, and .htm and .html are only allowed if the user has the ability to use unfiltered HTML.

Source : http://wordpress.org

WordPress 3.5.2 Maintenance and Security Release

WordPress team has released WordPress 3.5.2 Maintenance and Security Release

WordPress Update

This is the second maintenance release of 3.5, fixing 12 bugs.

This is a security release for all previous versions and it is strongly recommend you update your sites immediately.

WordPress has been updated to 3.5.2 in Softaculous. You can update your installation with just one click. Here is the guide :

Update WordPress

The WordPress security team resolved seven security issues, and this release also contains some additional security hardening.

The security fixes included:

  • Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site.
  • Disallow contributors from improperly publishing posts or reassigning the post’s authorship.
  • An update to the SWFUpload external library to fix cross-site scripting vulnerabilities.
  • Prevention of a denial of service attack, affecting sites using password-protected posts.
  • An update to an external TinyMCE library to fix a cross-site scripting vulnerability.
  • Multiple fixes for cross-site scripting.
  • Avoid disclosing a full file path when a upload fails.

Source : http://wordpress.org