WordPress 3.3.2 Patches Security Flaws


Version 3.3.2 of WordPress was recently released, patching several vulnerabilities both in the platform itself and in external libraries.

"The organization wouldn’t reveal how many vulnerabilities it fixed, but it did note that they were in double digits, and it did elaborate on some of the changes in Wordpress 3.3.2," writes ZDNet's Emil Protalinski. "You can download the new version from wordpress.org/download or from your Dashboard (Updates menu in your site’s admin area)."

"The new WordPress version updates the bundled Plupload library to version 1.5.4 after its developers patched a cross-site request forgery (CSRF) vulnerability last week," writes ITworld's Lucian Constantin. "Plupload is a flexible upload handling library with support for a variety of runtimes including HTML5, Flash, Silverlight, Gears and BrowserPlus. It is used by default in WordPress to upload media files. Several security bugs were also addressed in two other libraries called SWFUpload and SWFObject, which WordPress used in the past for media file uploading and Flash embedding, respectively."

"In addition to those flaws, WordPress's developers also included patches for a pair of XSS bugs," writes Threatpost's Dennis Fisher. "One of the XSS flaws can be exploited when URLs are made clickable on WordPress pages, and the other lies in the way that redirects are handled after users post comments using older browsers. There also is a fix for a privilege escalation vulnerability that can crop up in some circumstances when a site administrator could deactivate network-wide plugins when running a WordPress network."

"In addition to this release, WordPress 3.4 Beta 3 is also now available for download," notes TNW's Harrison Weber. "And while the build isn’t ready for the prime time, plugin and theme developers should already be working with it for testing."