WordPress just released an update, version 3.5.2 and it is full of security updates. I’ve written about it many times before but I’ll say it again, updating WordPress is the #1 way to secure the platform. Too many people wait weeks after an update occurs leaving their site open to widespread WordPress attacks that are happening more and more now.
15%-20% of the top million websites run WordPress, that’s a lot. There are over 67 million WordPress sites online and about 100,000 new ones launching every day. This has made the platform a prime target for hackers and spammers and in April of this year there was a massive attack that impacted lots and lots and lots of WordPress sites across the web.
“According to reports from HostGator and CloudFlare, there is currently a significant attack being launched at WordPress blogs across the Internet. For the most part, this is a brute-force dictionary-based attack that aim to find the password for the ‘admin’ account that every WordPress site sets up by default. HostGator’s analysis found that this is a well-organized and very distributed attack.” (source – TechCrunch)
Here are some of the security updates included in the new WordPress 3.5.2 update:
- Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199.
- Privilege Escalation: Contributors can publish posts, and users can reassign authorship. CVE-2013-2200.
- Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205.
- Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173.
- Content Spoofing via Flash Applet in TinyMCE Media Plugin. CVE-2013-2204.
- Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201.
- Full Path Disclosure (FPD) during File Upload. CVE-2013-2203.
So, needless to say, if you’re reading this, and your site runs WordPress, update it now. Happy Friday!