Time To Update WordPress, 3.5.2 Is Here. And Yes, You Want To Update Today

WordPress just released an update, version 3.5.2 and it is full of security updates. I’ve written about it many times before but I’ll say it again, updating WordPress is the #1 way to secure the platform. Too many people wait weeks after an update occurs leaving their site open to widespread WordPress attacks that are happening more and more now.

15%-20% of the top million websites run WordPress, that’s a lot. There are over 67 million WordPress sites online and about 100,000 new ones launching every day. This has made the platform a prime target for hackers and spammers and in April of this year there was a massive attack that impacted lots and lots and lots of WordPress sites across the web.

“According to reports from HostGator and CloudFlare, there is currently a significant attack being launched at WordPress blogs across the Internet. For the most part, this is a brute-force dictionary-based attack that aim to find the password for the ‘admin’ account that every WordPress site sets up by default. HostGator’s analysis found that this is a well-organized and very distributed attack.” (source – TechCrunch)

Here are some of the security updates included in the new WordPress 3.5.2 update:

  • Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199.
  • Privilege Escalation: Contributors can publish posts, and users can reassign authorship. CVE-2013-2200.
  • Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205.
  • Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173.
  • Content Spoofing via Flash Applet in TinyMCE Media Plugin. CVE-2013-2204.
  • Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201.
  • Full Path Disclosure (FPD) during File Upload. CVE-2013-2203.

So, needless to say, if you’re reading this, and your site runs WordPress, update it now. Happy Friday!

Morgan Linton

Morgan Linton