WordPress 3.6.1

WordPress 3.6.1 has been release. This is a maintenance and security release, so please upgrade as soon as you get the chance.

This .1 release fixes 13 bugs and the below security issues:

  • Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem.
  • Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
  • Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.
  • Additionally, we’ve adjusted security restrictions around file uploads to mitigate the potential for cross-site scripting.

Download: WordPress 3.6.1

1 Star2 Stars3 Stars4 Stars5 Stars (50 votes, average: 3.70 out of 5)

WordPress 3.1.4 & 3.2 RC3

WordPress 3.1.4 & 3.2 RC3 has been released.

WordPress 3.1.4

WordPress 3.1.4 is available now and is a maintenance and security update for all previous versions.

This release fixes an issue that could allow a malicious Editor-level user to gain further access to the site. Thanks K. Gudinavicius of SEC Consult for bringing this to our attention. Version 3.1.4 also incorporates several other security fixes and hardening measures thanks to the work of WordPress developers Alexander Concha and Jon Cave of our security team. Consult the change log for more details.

Changelog: WordPress 3.1.4
Download: WordPress 3.1.4
Download: Modified files since WordPress 3.1.3

WordPress 3.2 RC3

This release was about all that stood in the way of a final release of WordPress 3.2. So we’re also announcing the third release candidate for 3.2, which contains all of the fixes in 3.1.4; few minor RTL, JavaScript, and user interface fixes; and ensures graceful failures if 3.2 is run on PHP4. As a reminder, we’ve bumped our minimum requirements for version 3.2 to PHP 5.2.4 and MySQL 5.0.

Download: WordPress 3.2 RC3

1 Star2 Stars3 Stars4 Stars5 Stars (109 votes, average: 3.69 out of 5)

WordPress 3.8 Beta 1

Wow that was quick, WordPress 3.8 Beta 1 has been released and the final release is targeted for Thursday, 12th December 2013!

I am looking forward to the new admin UI!

  • The new admin design, especially the responsive aspect of it. Try it out on different devices and browsers, see how it goes, especially the more complex pages like widgets or seldom-looked-at-places like Press This. Color schemes, which you can change on your profile, have also been spruced up.
  • The dashboard homepage has been refreshed, poke and prod it.
  • Choosing themes under Appearance is completely different, try to break it however possible.
  • There’s a new default theme, Twenty Fourteen.
  • Over 250 issues closed already.

Download: WordPress 3.8 Beta 1

1 Star2 Stars3 Stars4 Stars5 Stars (75 votes, average: 3.69 out of 5)

WordPress 4.0.1 Released

WordPress 4.0.1 has been released today and it is a important security release. So please update your WordPress site as soon as possible.

WordPress 4.0.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

Sites that support automatic background updates will be updated to WordPress 4.0.1 within the next few hours. If you are still on WordPress 3.9.2, 3.8.4, or 3.7.4, you will be updated to 3.9.3, 3.8.5, or 3.7.5 to keep everything secure. (We don’t support older versions, so please update to 4.0.1 for the latest and greatest.)

WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Jouko Pynnonen. This issue does not affect version 4.0, but version 4.0.1 does address these eight security issues:

  • Three cross-site scripting issues that a contributor or author could use to compromise a site. Discovered by Jon Cave, Robert Chapin, and John Blackbourn of the WordPress security team.
  • A cross-site request forgery that could be used to trick a user into changing their password.
  • An issue that could lead to a denial of service when passwords are checked. Reported by Javier Nieto Arevalo and Andres Rojas Guerrero.
  • Additional protections for server-side request forgery attacks when WordPress makes HTTP requests. Reported by Ben Bidner (vortfu).
  • An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008 (I wish I were kidding). Reported by David Anderson.
  • WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address. Reported separately by Momen Bassel, Tanoy Bose, and Bojan Slavkovi? of ManageWP.

Version 4.0.1 also fixes 23 bugs with 4.0, and we’ve made two hardening changes, including better validation of EXIF data we are extracting from uploaded photos. Reported by Chris Andrè Dale.

Download: WordPress 4.0.1

1 Star2 Stars3 Stars4 Stars5 Stars (55 votes, average: 3.69 out of 5)