WordPress Security Update

The WordPress team released WordPress 3.3.2 on 18 May 2012 to address several vulnerabilities in the popular blogging platform as well as in three external libraries that are bundled by default.

One of the bundled vulnerable library is Plupload library was upgraded to version 1.5.4 after its developers patched a cross-site request forgery (CSRF) vulnerability last week. Plupload is an uploading library and supports a variety of runtimes like BrowserPlus, Silverlight, Flash, HTML5, and Gears. It is default for uploading media files.

Several security bugs were also addressed in two more libraries called SWFUpload and SWFObject. WordPress used them in the past for media file uploading and Flash embedding. Even though WordPress no longer uses these libraries, they are still shipped with the platform by default to maintain backward compatibility for older themes and plug-ins.

Two cross-site scripting (XSS) vulnerabilities that were exploited when making URLs clickable, when filtering URLs or when redirecting users after posting comments in older browsers have also been addressed in the new WordPress version, the WordPress team said in the release notes.

A privilege escalation vulnerability having limited impact which could be used by a site administrator to deactivate all network-wide plugins when running a WordPress network  was also fixed.

Security researchers advise website owners to keep their WordPress installations and all associated plug-ins and themes up-to-date at all times.

WordPress is a common target for hacking, hackers exploit vulnerabilities in outdated installations to inject malicious code into websites powered by WordPress. The Flashback malware that recently infected over 600,000 Mac computers was distributed through Web-based attacks launched from compromised WordPress websites themselves.