With the second security and maintenance release of WordPress 3.5, the developers of the popular open source blogging software have closed 12 bugs, seven of them security issues. In their announcement, the developers “strongly encourage” all users to update all their installations of the software to version 3.5.2 immediately. In addition to the fixed vulnerabilities, the new release also includes some proactive changes intended to harden the platform against attacks.
Security fixes in this release include measures to prevent server-side request forgery (SSRF) attacks. The TinyMCE editor, the external SWFUpload library and other components have been updated to fix cross-site scripting (XSS) holes; WordPress’s own SWFUpload fork is used by the blogging platform to transfer files to the server, while TinyMCE is used as the software’s content editor. A problem that could be exploited by attackers to perform denial-of-service (DoS) attacks on sites that use WordPress’s password protection for posts has also been fixed.
WordPress 3.5.2 is available for download from the project’s web site. Alternatively, existing users can update automatically via Dashboard → Updates in the WordPress admin interface. The source code for WordPress is licensed under the GPLv2 or later.
Cross-posted from Heise-Security.