WordPress 3.9.2

WordPress 3.9.2 has been released and it is a security release and hence it is recommended that you update your site immediately.

This release fixes a possible denial of service issue in PHP’s XML processing, reported by Nir Goldshlager of the Salesforce.com Product Security Team. It  was fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team. This is the first time our two projects have coordinated on joint security releases.

WordPress 3.9.2 also contains other security changes:

  • Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
  • Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.
  • Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
  • Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.

We appreciated responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.

Download WordPress 3.9.2 now or go to Dashboard -> Updates and click “Update Now”.

1 Star2 Stars3 Stars4 Stars5 Stars (43 votes, average: 3.84 out of 5)

Confirmed WordPress 2.7 Features

Ryan Boren has posted a list of confirmed features that will appear in WordPress 2.7. Some of this features are still under development and they should be done soon.

  • New admin UI based on the crazyhorse experimental UI branch with new menus and navigation
  • New edit post page that allows dragging and dropping of meta boxes. Boxes can be expanded and collapsed as before and now also completely hidden.
  • Ability to hide columns on the content index pages
  • Inline editing of posts and pages on the content index pages
  • Comments XMLRPC API (Who wants comment moderation on the iPhone? Me.)
  • Reply to comments from the admin
  • Keyboard hot keys for managing comments
  • Threaded Comments and new wp_list_comments() API
  • Sticky Posts
  • Automatic plugin install and integrated plugin browser
  • Automatic upgrade of WordPress
  • HTTPOnly auth cookies
  • New HTTP request API
  • A new SSH2 filesystem abstraction for updates and installs over sftp

Theme update, install, and browsing may also get done in time for 2.7.

1 Star2 Stars3 Stars4 Stars5 Stars (144 votes, average: 3.83 out of 5)

WordPress 3.0.4

WordPress 3.0.4 has been released and it a critical update as it fixes an XSS vulnerability.

It is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as critical.
I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for. In the spirit of the holidays, consider helping your friends as well.

If you are a security researcher, we’d appreciate you taking a look over this changeset as well to review our update. We’ve given it a lot of thought and review but since this is so core we want as many brains on it as possible. Thanks to Mauro Gentile and Jon Cave (duck_) who discovered and alerted us to these XSS vulnerabilities first.

Changelog: WordPress 3.0.4
Download: WordPress 3.0.4
Download: Modified files since WordPress 3.0.3

1 Star2 Stars3 Stars4 Stars5 Stars (138 votes, average: 3.83 out of 5)