WordPress Security News: WordPress 3.4.1 was just released to the public which includes 18 bug fixes and security hardening.
WordPress 3.4.1 fixes a security issues and has some extra security hardening. The vulnerabilities in WordPress 3.4 contained a potential information disclosure and a bug that affected multi-site installs with untrusted users. Also today, WordPress 3.3.3 was released as a security fix.
Here's the WordPress security fixes in WordPress 3.4.1 from the WordPress Codex:
- Privilege Escalation/XSS. Critical. Administrators and editors in multisite were accidentally allowed to use unfiltered_html for 3.4.0.
- CSRF. Additional CSRF protection in the customizer.
- Information Disclosure: Disclosure of post contents to authors and contributors (such as private or draft posts).
- Hardening: Deprecate wp_explain_nonce(), which could reveal unnecessary information.
- Hardening: Require a child theme to be activated with its intended parent only.
Here's a list of WordPress 3.4.1 bug fixes from WordPress.org:
- Fixes an issue where a theme’s page templates were sometimes not detected.
- Addresses problems with some category permalink structures.
- Adds early support for uploading images on iOS 6 devices.
- Allows for a technique commonly used by plugins to detect a network-wide activation.
- Better compatibility with servers running certain versions of PHP (5.2.4, 5.4) or with uncommon setups (safe mode, open_basedir), which had caused warnings or in some cases prevented emails from being sent.
For a list of bug fixes from the WordPress Trac, click here.
WordPress 3.3 Users Please Update to WordPress 3.3.3:
If you have not upgraded to WordPress 3.4 yet due to a plugin or theme conflict, a WordPress security release was also released for you today. Please upgrade to WordPress 3.3.3 ASAP.
WordPress Security Fixes in Version 3.3.3 from the WordPress Codex:
- Cross-Site Scripting: Fix persistent XSS via editable slug fields. (Also fixed in 3.4.0.)
- Hardening: Deprecate wp_explain_nonce(), which could reveal unnecessary information. (Also fixed in 3.4.1.)
- Hardening: Require a child theme to be activated with its intended parent only. (Also fixed in 3.4.1.)
- Information Disclosure: Restrict some post IDs when dealing with media uploading, which could leak some info (or attach media to a post the user doesn’t have privileges to). (Also fixed in 3.4.0.)
- Information Disclosure: Hide post excerpts when the user cannot read the whole post (e.g. a contributor can’t read someone else’s draft beyond the title). (Also fixed in 3.4.0.)
- XSS Hardening: Escape the output of get_pagenum_link(). Note that this function was previously considered to have returned unescaped data, so this was not a vulnerability, but an enhancement. (Also fixed in 3.4.0.)
- CSRF Hardening: Prevent unfiltered HTML in comments when there is potential for clickjacking (i.e. when the front-end of the site is loaded in a frame). (Also fixed in 3.4.0.)
Important! It is strongly advised that you log-in to your WordPress Dashboard and update now. If you do not see the update flagged in yellow at the top of your Dashboard, from the sidebar go to Dashboard > Updates >and install the update. Or you can download from http://wordpress.org/download/release-archive/.
Note: Be sure you create a full backup of your database and files before updating.
I just upgraded WPSecurityLock.com to WordPress 3.4.1 and it was very smooth. There was a database update required so be sure you stay at your browser when doing the auto-update and follow the instructions.
Leave Your Feedback
Let us know if you had any issues when updating to WordPress 3.4.1. Did you find any WordPress plugin or theme conflicts? Please leave your comment below.