RealTime IT News

Open Source WordPress Updated for Media Upload Vulns


From the 'Responsible Disclosure' files:

Users of the open source WordPress blogging system (and there are millions of us), should have seen an alert in their dashboard to update in recent days. WordPress 3.3.2 came out late Friday and is primarily a security update for media, upload, cross site scripting and privilege escalation bugs.

There are updates for Plupload, SWFUpload and SWFObject, which are all third party libraries used by WordPress for media uploading and handling.

Core WordPress updates include a pair of what I personally consider to be, really nasty cross site scripting (XSS) flaws. One of them affected redirects after posting comments the other for clickable URLs.

Why I consider XSS to be so dangerous in the WordPress context is that so far as I know, no client-side anti-virus/security software can block an XSS attack. Sure, end-point security can block the payload, but XSS is a server side issue which means that a properly crafted attack can do a whole lot of harm.

While the 3.3.x release branch is getting patched for security, developers are pushing forward on the next generation of WordPress with the version 3.4 Beta 3 release. The big highlight of the 3.4 release is a new theme customizer, which could well revolutionize how WordPress theming is managed.


Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals Follow him on Twitter @TechJournalist.