November 1, 2014

WordPress 3.9.2 Security Release: UPGRADE NOW

WordPress 3.9.2 is now available as a security release for all previous versions. We strongly encourage you to update your sites immediately.

This release fixes a possible denial of service issue in PHP’s XML processing, reported by Nir Goldshlager of the Salesforce.com Product Security Team. It was fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team. This is the first time the two projects have coordinated joint security releases.

WordPress 3.9.2 also contains other security changes:

  • Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
  • Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.
  • Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
  • Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.
  • For more information, see the release notes or consult the list of changes.

Download WordPress 3.9.2 or venture over to Dashboard → Updates and simply click “Update Now”.

Sites that support automatic background updates will be updated to WordPress 3.9.2 within 12 hours. (If you are still on WordPress 3.8.3 or 3.7.3, you will also be updated to 3.8.4 or 3.7.4. Older WordPress versions are not supported, so please update to 3.9.2.)

As always, we highly recommend that you keep your WordPress installation, WordPress themes and WordPress plugins up to date to ensure that you’re running the most secure and feature rich version of WordPress.

If you need assistance with upgrading, please schedule your WordPress upgrade today via our WordPress Upgrade Service.

Anyone who is already subscribed to one of our upgrade packages has already been upgraded to WordPress 3.9.2.  If you’d like to make sure your site is always up to date, please check out out WordPress Maintenance Packages.

WordPress 3.6.1 Released September 11, 2013

WordPress version 3.6.1 was released on September 11, 2013 and is a maintenance release that fixes 13 bugs in version 3.6.

WordPress 3.6.1 is also a security release for all previous WordPress versions and we strongly encourage you to update your sites immediately. It addresses three issues fixed by the WordPress security team:

  • Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution.
  • Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user.
  • Fix insufficient input validation that could result in redirecting or leading a user to another website.

Additionally, they’ve adjusted security restrictions around file uploads to mitigate the potential for cross-site scripting.

As always, we highly recommend that you keep your WordPress installation, WordPress themes and WordPress plugins up to date to ensure that you’re running the most secure and feature rich version of WordPress.

If you need assistance with upgrading, please schedule your WordPress upgrade today via our WordSprung WordPress Upgrade Service.

Anyone who is already subscribed to one of our upgrade packages has already been upgraded to WordPress 3.6.1.  If you’d like to make sure your site is always up to date, please check out out WordSprung WordPress Maintenance Packages.

WordPress 3.6

WordPress 3.6, “Oscar”, was released on August 1, 2013 and is a major release that  includes a beautiful new blog-centric theme, bullet-proof autosave and post locking, a revamped revision browser, native support for audio and video embeds, and improved integrations with Spotify, Rdio, and SoundCloud.

User Features

  • The new Twenty Thirteen theme inspired by modern art puts focus on your content with a colorful, single-column design made for media-rich blogging.
  • Revamped Revisions save every change and the new interface allows you to scroll easily through changes to see line-by-line who changed what and when.
  • Post Locking and Augmented Autosave will especially be a boon to sites where more than a single author is working on a post. Each author now has their own autosave stream, which stores things locally as well as on the server (so much harder to lose something) and there’s an interface for taking over editing of a post, as demonstrated beautifully by our bearded buddies in the video above.
  • Built-in HTML5 media player for native audio and video embeds with no reliance on external services.
  • The Menu Editor is now much easier to understand and use.

Developer features

  • A new audio/video API gives you access to metadata like ID3 tags.
  • You can now choose HTML5 markup for things like comment and search forms, and comment lists.
  • Better filters for how revisions work, so you can store a different amount of history for different post types.
  • Tons more listed on the Codex, and of course you can always browse the over 700 closed tickets.

As always, we highly recommend that you keep your WordPress installation, WordPress themes and WordPress plugins up to date to ensure that you’re running the most secure and feature rich version of WordPress.

If you need assistance with upgrading, please schedule your WordPress upgrade today via our WordSprung WordPress Upgrade Service.

Anyone who is already subscribed to one of our upgrade packages has already been upgraded to WordPress 3.5.  If you’d like to make sure your site is always up to date, please check out out WordSprung WordPress Maintenance Packages.

WordPress 3.5.2

WordPress 3.5.2 was released on June 21, 2013 and is a maintenance and security update which addresses 12 bugs with version 3.5.

The security issues addressed include:

  • Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site.
  • Disallow contributors from improperly publishing posts, or reassigning the post’s authorship.
  • An update to the SWFUpload external library to fix cross-site scripting vulnerabilities.
  • Prevention of a denial of service attack, affecting sites using password-protected posts.
  • An update to an external TinyMCE library to fix a cross-site scripting vulnerability.
  • Multiple fixes for cross-site scripting.
  • Avoid disclosing a full file path when a upload fails.

As always, we highly recommend that you keep your WordPress installation, WordPress themes and WordPress plugins up to date to ensure that you’re running the most secure and feature rich version of WordPress.

If you need assistance with upgrading, please schedule your WordPress upgrade today via our WordSprung WordPress Upgrade Service.

Anyone who is already subscribed to one of our upgrade packages has already been upgraded to WordPress 3.5.2.  If you’d like to make sure your site is always up to date, please check out out WordSprung WordPress Maintenance Packages.

WordPress 3.5.1

WordPress 3.5.1 was released on January 24, 2013 and is a maintenance and security update which addresses 37 bugs with version 3.5, which include:

  • Editor: Prevent certain HTML elements from being unexpectedly removed or modified in rare cases.
  • Media: Fix a collection of minor workflow and compatibility issues in the new media manager.
  • Networks: Suggest proper rewrite rules when creating a new network.
  • Prevent scheduled posts from being stripped of certain HTML, such as video embeds, when they are published.
  • Work around some misconfigurations that may have caused some JavaScript in the WordPress admin area to fail.
  • Suppress some warnings that could occur when a plugin misused the database or user APIs.

The security issues addressed include:

  • A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team.
  • Two instances of cross-site scripting via shortcodes and post content.
  • A cross-site scripting vulnerability in the external library Plupload.

As always, we highly recommend that you keep your WordPress installation, WordPress themes and WordPress plugins up to date to ensure that you’re running the most secure and feature rich version of WordPress.

If you need assistance with upgrading, please schedule your WordPress upgrade today via our WordSprung WordPress Upgrade Service.

Anyone who is already subscribed to one of our upgrade packages has already been upgraded to WordPress 3.5.1.  If you’d like to make sure your site is always up to date, please check out out WordSprung WordPress Maintenance Packages.