Time To Update WordPress, 3.5.2 Is Here. And Yes, You Want To Update Today

WordPress just released an update, version 3.5.2 and it is full of security updates. I’ve written about it many times before but I’ll say it again, updating WordPress is the #1 way to secure the platform. Too many people wait weeks after an update occurs leaving their site open to widespread WordPress attacks that are happening more and more now.

15%-20% of the top million websites run WordPress, that’s a lot. There are over 67 million WordPress sites online and about 100,000 new ones launching every day. This has made the platform a prime target for hackers and spammers and in April of this year there was a massive attack that impacted lots and lots and lots of WordPress sites across the web.

“According to reports from HostGator and CloudFlare, there is currently a significant attack being launched at WordPress blogs across the Internet. For the most part, this is a brute-force dictionary-based attack that aim to find the password for the ‘admin’ account that every WordPress site sets up by default. HostGator’s analysis found that this is a well-organized and very distributed attack.” (source – TechCrunch

Here are some of the security updates included in the new WordPress 3.5.2 update:

  • Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199.
  • Privilege Escalation: Contributors can publish posts, and users can reassign authorship. CVE-2013-2200.
  • Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205.
  • Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173.
  • Content Spoofing via Flash Applet in TinyMCE Media Plugin. CVE-2013-2204.
  • Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201.
  • Full Path Disclosure (FPD) during File Upload. CVE-2013-2203.

So, needless to say, if you’re reading this, and your site runs WordPress, update it now. Happy Friday!

{ 3 comments… add one }

  • Brian Diener June 21, 2013, 8:56 pm

    Updating my sites right now, my sites were all hacked a few years ago and it took weeks to get them all back online. Don’t want to deal with that again.

  • Thomas June 22, 2013, 1:09 am

    Hi Morgan
    I just noticed this morning that it has been released. As soon as my backup is done I will for sure upgrade to this new version. I really don’t want my blog hacked..!

  • John Lefler June 23, 2013, 8:29 am

    After updating to Wordpress 3.5.2 all of my post content vanished. Only links to blank posts remain. Any idea what that’s about?


Leave a Comment