WordPress 3.5.2 security update was released!

Today I got notice from this blog about wordpress security update. ”┬áThis is a security release for all previous versions and we strongly encourage you to update your sites immediately. The WordPress security team resolved seven security issues, and this release also contains some additional security hardening.” – wordpress.com

Here is 12 bugs fix:

Ticket Summary Owner Type Priority Component Version
#23178 Screen reader shortcut links generated by _render() from WP_Admin_Bar class should use rel=”nofolow” nacin defect (bug) normal Toolbar
#23187 esc_url() fails if the URL’s scheme’s case does not match the allowed protocol’s case nacin defect (bug) normal Formatting
#23284 Wrong parameter order for stripos in wp-includes/functions.php nacin defect (bug) normal General 3.5
#23298 Initial gallery ‘Link to’ setting not applied ryan defect (bug) normal Gallery 3.5.1
#23337 TinyMCE, webkit and backspace/linebreak/italic issues nacin defect (bug) normal TinyMCE 3.5.1
#23418 banned names / illegal_names not being banned nacin defect (bug) normal Multisite 3.5.1
#23683 Fatal error in WP_User_Query SergeyBiryukov defect (bug) normal Users 3.4
#23708 get_post_ancestors() no longer works inside loop nacin defect (bug) normal Post Types 3.5
#23715 Plugins/Themes that rely on get_option(’embed_autourls’) may fail in 3.5.x defect (bug) normal Embeds 3.5
#24602 wp_get_single_post() should not use ‘edit’ context for get_post() nacin defect (bug) normal Post Types
#24611 Pass $post to hooks in edit-form-advanced.php nacin defect (bug) normal Plugins 3.5
#23555 Fatal error when sunrise added nacin defect (bug) low Multisite 3.5.1

Additionally: Version 3.5.2 fixes seven security issues:

* Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199.
* Privilege Escalation: Contributors can publish posts, and users can reassign authorship. CVE-2013-2200.
* Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205.
* Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173.
* Content Spoofing via Flash Applet in TinyMCE Media Plugin. CVE-2013-2204.
* Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201.
* Full Path Disclosure (FPD) during File Upload. CVE-2013-2203.

Additional security hardening includes:

* Cross-Site Scripting (XSS) (Low Severity) when Editing Media. CVE-2013-2201.
* Cross-Site Scripting (XSS) (Low Severity) when Installing/Updating Plugins/Themes. CVE-2013-2201.
* XML External Entity Injection (XXE) via oEmbed. CVE-2013-2202.

source: wordpress.com

Leave a Reply

Your email address will not be published. Required fields are marked *