WordPress just released a very important security update, version 3.5.2. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.This is the second maintenance release of 3.5, fixing 12 bugs and the WordPress security team resolved seven security issues, and this release also contains some additional security hardening.
The security fixes included:
- Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site.
- Disallow contributors from improperly publishing posts, reported by Konstantin Kovshenin, or reassigning the post’s authorship, reported by Luke Bryan.
An update to the SWFUpload external library to fix cross-site scripting vulnerabilities. Reported by mala and Szymon Gruszecki.
- Prevention of a denial of service attack, affecting sites using password-protected posts.
- An update to an external TinyMCE library to fix a cross-site scripting vulnerability. Reported by Wan Ikram.
- Multiple fixes for cross-site scripting. Reported by Andrea Santese and Rodrigo.
- Avoid disclosing a full file path when a upload fails. Reported by Jakub Galczyk.
For WordPress security, please upgrade your site(s) right now to WordPress version 3.5.2 now.
Please help others using WordPress and spread the awareness about this important update by using the social icons below and email the link to this article to your list.
Leave Your Feedback
Let us know if you had any issues when updating to WordPress 3.5.2. Did you find any WordPress plugin or theme conflicts? Please leave your comment below.
Just finished updating all of my sites… haven’t seen any issues with broken plugins or anything like that.
Awesome Loretta! Thanks for letting me know. I got all my sites updated as well and it was smooth sailing 🙂
Hi Regina. One of my sites didn’t have the notification to update WordPress. Is this common – meaning it just hasn’t received the update notification yet?
Hey Dawn,
Strange, but maybe your wp cron didnt run yet. Try going to your dashboard and click on updates. Then click on the check again button and see if it shows up.
Just finished the update to our site. Update process worked smoothly and only took a few minutes.Thanks for the reminder, and thanks for your help in the past in securing our website. It has been smooth sailing ever since.
Hi Ken,
Nice to hear from you. Glad your WordPress site upgraded smoothly and is running good.
~ Regina
Hi Regina,
Just updated all 12 of my blogs without a hitch.
Thanks for all your great information.
Herschel Lawhorn
What is the severity of the SSRF vuln? If I don’t view untrusted content while logged in or from the same browser I log into my admin panel with, that should stop XSS. If I have a vanilla install with no plugins, should I still be worried? Does having contributors affect the severity of the vulnerability?
Sometimes it is very difficult to update. We need to know whether security precautions like disabling other accounts, disabling plugins, disabling pingbacks, or not logging in would mitigate the vulnerabilities until we have time to update.
Thanks for the notification, Regina! I updated a couple sites to see how things work. So far so good!
One quick piece of advice – even though a lot of folks have been saying the upgrade went smoothly, Remember to Take A BackUp of Your Site Before you do the upgrade!
Better to be safe than sorry!
Thanks.
Paul.
Thanks for the update. Looks like WordPress gets more stronger!
Hi Regina
I saw the update last night via the Sucuri guys.
Thanks for the reminder and for stressing that they have fixed various security issues.
I thought that the next release would be 3.6 so this was a bit opf a surprise.
Looks like time to update.
Thanks for letting me know about the updates. I updated 2 of my site till now, and going to update it. Thanks for sharing this essential information.
Thanks Regina – I would have ignored the update if not for your news of the security fixes.
I’m considering a service like ManageWP to make updating several blogs at once easier. Have you looked into this product?
Alex
Hi Alex,
Thanks for your comment. I use Infinite WP right now and love it.
Updated all of my sites with no issues. I did notice as someone else on this thread mentioned. that there was no “Update WordPress” notification on any of my sites. Usually it appears on the Dashboard page. I clicked the update button and the notification was on that page only.
Actually if I hadn’t received your email it would have been a few days before I even realized there had been a WordPress update so thanks.
Hi Shirley,
You may have a cron issue with your website. I would contact your host and ask them to make sure your cron is running properly.
Let me know if you still need help.
Thanks Regina ! I’ll check into that with them!
Thanks for getting the word out so quickly. Up dating as soon as the notice comes out saves me a ton of work later when the hackers discover the “holes” through which to gain their access.
Terry
Thank you for the info, am just going to do that to my blogs now before it is too late.
and wordpress is really improving….
Woa! After reading your blog, I went back to make sure we were using the latest version of WordPress and guess what… we weren’t. My boss would’ve killed me if you found out they had a security issue because I failed to update our blog’s software.
A million thank you’s, Regina.
Such a good news, just because I’ve read a lot about hacked wp blogs in the last couple of weeks. I haven’t got any bad experiences because I use wordpress.com’s free hosting and blogging service, and – although I can’t use all the plugins – it means some security as well. This update looks pretty awesome, now I think it’s time for me to switch to some more professional (wp.org) blog…