WordPress Security News: WordPress 3.4.1 was just released to the public which includes 18 bug fixes and security hardening.
WordPress 3.4.1 fixes a security issues and has some extra security hardening. The vulnerabilities in WordPress 3.4 contained a potential information disclosure and a bug that affected multi-site installs with untrusted users. Also today, WordPress 3.3.3 was released as a security fix.
Here's the WordPress security fixes in WordPress 3.4.1 from the WordPress Codex:
- Privilege Escalation/XSS. Critical. Administrators and editors in multisite were accidentally allowed to use unfiltered_html for 3.4.0.
- CSRF. Additional CSRF protection in the customizer.
- Information Disclosure: Disclosure of post contents to authors and contributors (such as private or draft posts).
- Hardening: Deprecate wp_explain_nonce(), which could reveal unnecessary information.
- Hardening: Require a child theme to be activated with its intended parent only.
Here's a list of WordPress 3.4.1 bug fixes from WordPress.org:
- Fixes an issue where a theme’s page templates were sometimes not detected.
- Addresses problems with some category permalink structures.
- Better handling for plugins or themes loading JavaScript incorrectly.
- Adds early support for uploading images on iOS 6 devices.
- Allows for a technique commonly used by plugins to detect a network-wide activation.
- Better compatibility with servers running certain versions of PHP (5.2.4, 5.4) or with uncommon setups (safe mode, open_basedir), which had caused warnings or in some cases prevented emails from being sent.
For a list of bug fixes from the WordPress Trac, click here.
WordPress 3.3 Users Please Update to WordPress 3.3.3:
If you have not upgraded to WordPress 3.4 yet due to a plugin or theme conflict, a WordPress security release was also released for you today. Please upgrade to WordPress 3.3.3 ASAP.
WordPress Security Fixes in Version 3.3.3 from the WordPress Codex:
- Cross-Site Scripting: Fix persistent XSS via editable slug fields. (Also fixed in 3.4.0.)
- Hardening: Deprecate wp_explain_nonce(), which could reveal unnecessary information. (Also fixed in 3.4.1.)
- Hardening: Require a child theme to be activated with its intended parent only. (Also fixed in 3.4.1.)
- Information Disclosure: Restrict some post IDs when dealing with media uploading, which could leak some info (or attach media to a post the user doesn’t have privileges to). (Also fixed in 3.4.0.)
- Information Disclosure: Hide post excerpts when the user cannot read the whole post (e.g. a contributor can’t read someone else’s draft beyond the title). (Also fixed in 3.4.0.)
- XSS Hardening: Escape the output of get_pagenum_link(). Note that this function was previously considered to have returned unescaped data, so this was not a vulnerability, but an enhancement. (Also fixed in 3.4.0.)
- CSRF Hardening: Prevent unfiltered HTML in comments when there is potential for clickjacking (i.e. when the front-end of the site is loaded in a frame). (Also fixed in 3.4.0.)
Important! It is strongly advised that you log-in to your WordPress Dashboard and update now. If you do not see the update flagged in yellow at the top of your Dashboard, from the sidebar go to Dashboard > Updates >and install the update. Or you can download from http://wordpress.org/download/release-archive/.
Note: Be sure you create a full backup of your database and files before updating.
I just upgraded WPSecurityLock.com to WordPress 3.4.1 and it was very smooth. There was a database update required so be sure you stay at your browser when doing the auto-update and follow the instructions.
Leave Your Feedback
Let us know if you had any issues when updating to WordPress 3.4.1. Did you find any WordPress plugin or theme conflicts? Please leave your comment below.
Thanks Regina! Updates went smooth 🙂
Hey Kelly,
Thanks for letting me know. My auto-update took less than 1 minute and only 2 clicks 🙂
I’ve just updated my post to include an important WordPress security fix for those still using the WordPress 3.3 branch. If you know anyone that is still on 3.3, please let them know that 3.3.3 is out.
Thanks for the update and I have updated my blog to latest version.. 🙂
Awesome Tyron! Glad it worked for you.
The new update has caused the new Facebook plugin for WordPress to throw an exception on post publication on 2 blogs. Nothing fatal or overly problematic. Upgrade regardless.
Kim
That plugin looks pretty cool, but I’m not ready to jump in the water yet. Let me know if you get it worked out. Thanks Kim!
So would this update mainly be critical for multi site installs? Not saying you shouldn’t upgrade anyway, just wondering if the Urgency is more for the multi site crowd?
Hi Damon,
Thanks for your question. The security update is for both, single and multi-site installs.
The first security fix listed is specifically for multi-site: Privilege Escalation/XSS. Critical. Administrators and editors in multisite were accidentally allowed to use unfiltered_html for 3.4.0, is for multi-site. The remaining security fixes and hardening pertain to both.
So yes, upgrading is vital.
Just updated my hosted wordpress blog to 3.4.1. Oh, my! The dashboard disappeared. No idea why. I am not updating my other sites until this gets resolved. To say my dashboard disappeared is to say that my login url that I have been using says “nothing found for wp-admin Upgrade.”
Hey Mr. Miller!
It sounds like you’re having the same problem a lot of other users are having right now. It could be that one of the core WordPress file with configurations tailored for your server was “upgraded” along with the rest of your files. It’s not a huge issue because if this is the case, it would be as simple as redefining where your WordPress installation is located in the main index file.
If this sounds like your problem, you can find help in the WordPress Codex (http://codex.wordpress.org/Giving_WordPress_Its_Own_Directory). If you need help fixing it, I am available ASAP to give you a consultation and fix it up (https://wpsecuritylock.com/30minwithmichael).
Thanks so much for your concern. I have no idea what happened, but about an hour after getting locked out of the dashboard, everything cleared up. Sounds like you really know coding! I am impressed. Thanks again. I am going to save your info should this come up again.
Thanks for the update, it is super helpful to have the email come into my inbox so I can jump right on it!
I’ve run the update on several blogs no problems at all.
Cheers,
Deb
You’re very welcome Deb. Glad I could help.
Hi Regina,
I don’t know all the plugins that were in use, but I received an email from a colleague today who had disastrous results after upgrading and uses W3 Total Cache. He is urging everyone to NOT upgrade after experiencing the site down for 3 days. Any thoughts on that ????
~Susan
Hi Susan,
Thanks for your question. When upgrading your WordPress site, you should create a backup of your site files and database first. Second, you should deactivate your plugins if you’re doing a manual update. And for automatic upgrades, it’s always a good idea to deactivate any caching plugins first in case they have any issues with the latest version.
Since this is a security update, it is strongly advised that you upgrade right away.
Oh, one more thing. Be sure to read Troubleshooting WordPress 3.4 – Master List that covers upgrade issues, including plugins and themes.
For us, the update appears to have fixed the custom permalink problem where http://www.site.com/1234 did not redirect to http://www.site.com/1234/post .
Or did we just hold our tongue in the right spot…
Hey Karen! You’re completely right, the update did in fact fix a few permalink issues connected to categories. As one article outlining the update states: “Changes unrelated to security include fixes for problems with category permalink structures…” (http://www.h-online.com/open/news/item/WordPress-3-4-update-closes-important-security-hole-1628769.html).
I’m glad to hear that it’s working well for you. Let us know if any problems may arise; and we wish the best of luck to you!
Hi, I have a multi site install that has four sites, one of which uses a suffusion theme. The other sites do not use this theme. When I upgraded from 3.4 to 3.4.1 my suffusion theme site dashboard no longer comes up, just a blank white page. The others work normally. Any advice on how to get it back to being dashboard accessable?
I just upgraded to 3.4.1 yet lost all of my permalinks. htaccess is set to 666, yet it am still getting the same 404 error. Any advice?
Hi Brandon,
Thanks for calling me. You definitely don’t want to use 666 permissions on any files or 777. Thanks for calling me. I’m glad we got your site fixed. It’s amazing how we had to uncheck, save, and then check, and save something. LOL
Ya, but I would have never found that silly box! Again, thank you so much for your time and keep me posted on your upcoming projects on wordpress security
Hi Regina, everything from yesterday seems to be working, however, from the home page, it gives me that same 404 error if you try to navigate to the second page (or any other page.) It starts off normal
http://blog.gourmetitalian.com/page/2/
but then automatically redirects to http://blog.gourmetitalian.com/page/
and then gives the 404 error.
Thank you so much for your help with all of this
Hey Brandon!
The issue seems to be that your permalink structure was updated and it now includes page names instead of page/IDs.
So page two (which should now be http://blog.gourmetitalian.com/recipes-2/) works fine, but as you can see, the page URL is much different. What you have is probably cached on your browser which is why it’s giving you a 404 error.
I am available to personally consult with you on this issue if you should need that, I can help show you how it has changed and how to make your URLs appear any way you’d like, and how to deal with a 404 error should it ever happen again. Otherwise I’d recommend clearing your cache and you should be good!
Thanks! Let me know how it goes.
-Michael
Thanks Michael, how should i contact you?
Hey Brandon!
You can schedule a quick consultation with us here, where I will speak with you personally.
https://wpsecuritylock.com/services/wordpress-security-consultation/
Thanks!
-Michael
I had a weird thing happen in WP in that when I added categories with a lot of SEO information the categories disappeared??? Anyone else had this happen?
I use the Genesis SEO theme add on which has been great so far.
I used to run a site just programming purely in HTML, but WP speeds things up so much! The only drawback is I’ve forgotten HTML now lol
The plugin could be causing a conflict with the PHP/database’s ability to stream in the content correctly. It could be anything from an update conflict to an issue with one of the fields in the SEO form throwing a fatal error – it’s hard to know without looking at it. Will take a glimpse at it, but it might not tell me much without being able to see the back-end.