WordPress 3.5.2

WordPress 3.5.2 has been released and this is a security fix which fixes 12 bugs including the following security issues:

  • Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site.
  • Disallow contributors from improperly publishing posts, reported by Konstantin Kovshenin, or reassigning the post’s authorship, reported by Luke Bryan.
  • An update to the SWFUpload external library to fix cross-site scripting vulnerabilities. Reported by mala and Szymon Gruszecki.
  • Prevention of a denial of service attack, affecting sites using password-protected posts.
  • An update to an external TinyMCE library to fix a cross-site scripting vulnerability. Reported by Wan Ikram.
  • Multiple fixes for cross-site scripting. Reported by Andrea Santese and Rodrigo.
  • Avoid disclosing a full file path when a upload fails. Reported by Jakub Galczyk.

You ae advised to upgrade immediately.

Download: WordPress 3.5.2 or visit Dashboard -> Updates in your site admin to update now.

1 Star2 Stars3 Stars4 Stars5 Stars (56 votes, average: 4.00 out of 5)

WordPress 3.5.1

WordPress 3.5.1 has been released and fixes 37 bugs including the following issues:

  • Editor: Prevent certain HTML elements from being unexpectedly removed or modified in rare cases.
  • Media: Fix a collection of minor workflow and compatibility issues in the new media manager.
  • Networks: Suggest proper rewrite rules when creating a new network.
  • Prevent scheduled posts from being stripped of certain HTML, such as video embeds, when they are published.
  • Work around some misconfigurations that may have caused some JavaScript in the WordPress admin area to fail.
  • Suppress some warnings that could occur when a plugin misused the database or user APIs.

Additionally, a bug affecting Windows servers running IIS can prevent updating from 3.5 to 3.5.1. If you receive the error “Destination directory for file streaming does not exist or is not writable,” you will need to follow the steps outlined on the Codex.

WordPress 3.5.1 also addresses the following security issues:

  • A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team. We’d like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work.
  • Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team.
  • A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue.

Download: WordPress 3.5.1 or visit Dashboard -> Updates in your site admin to update now.

1 Star2 Stars3 Stars4 Stars5 Stars (156 votes, average: 4.07 out of 5)

WordPress 3.5

WordPress 3.5 is out after 6 RCs!

What’s New

If you’ve been around WordPress a while, the most dramatic new change you’ll notice is a completely re-imagined flow for uploading photos and creating galleries. Media has long been a friction point and we’ve listened hard and given a lot of thought into crafting this new system. 3.5 includes a new default theme, Twenty Twelve, which has a very clean mobile-first responsive design and works fantastic as a base for a CMS site. Finally we’ve spent a lot of time refreshing the styles of the dashboard, updating everything to be Retina-ready with beautiful high resolution graphics, a new color picker, and streamlining a couple of fewer-used sections of the admin.

For Developers

You can now put your (or anyone’s) WordPress.org username on the plugins page and see your favorite tagged ones, to make it easy to install them again when setting up a new site. There’s a new Tumblr importer. New installs no longer show the links manager. Finally for multisite developers switch_to_blog() is way faster and you can now install MS in a sub-directory. The Underscore and Backbone JavaScript libraries are now available

Codex: WordPress 3.5
Download: WordPress 3.5

1 Star2 Stars3 Stars4 Stars5 Stars (168 votes, average: 3.93 out of 5)

WordPress 3.5 RC3

WordPress 3.5 RC3 has been released, I am expecting it to be the last RC and we will see the final WordPress 3.5 sometime within this week. No idea whether they will meet the originally targeted date of 5th December 2012.

  • Final UI improvements for the new media manager, based on lots of great feedback.
  • Show more information about uploading errors when they occur.
  • When inserting an image into a post, don’t forget the alternative text.
  • Fixes for the new admin button styles.
  • Improvements for mobile devices, Internet Explorer, and right-to-left languages.
  • Fix cookies for subdomain installs when multisite is installed in a subdirectory.
  • Fix ms-files.php rewriting for very old multisite installs.

Here is a list of pending issues (6 left): http://core.trac.wordpress.org/report/5

Download: WordPress 3.5 RC3

1 Star2 Stars3 Stars4 Stars5 Stars (112 votes, average: 3.96 out of 5)