WordPress 3.5.2 is now obtainable. That is the second upkeep launch of three.5, fixing 12 bugs. It is a safety launch for all earlier variations and we strongly encourage you to replace your websites instantly. The WordPress safety crew resolved seven safety points, and this launch additionally accommodates some extra safety hardening.
The safety fixes included:
- Blocking server-side request forgery assaults, which may doubtlessly allow an attacker to achieve entry to a website.
- Disallow contributors from improperly publishing posts, reported by Konstantin Kovshenin, or reassigning the put up’s authorship, reported by Luke Bryan.
- An replace to the SWFUpload exterior library to repair cross-site scripting vulnerabilities. Reported by mala and Szymon Gruszecki. (Builders: Extra on SWFUpload here.)
- Prevention of a denial of service assault, affecting websites utilizing password-protected posts.
- An replace to an exterior TinyMCE library to repair a cross-site scripting vulnerability. Reported by Wan Ikram.
- A number of fixes for cross-site scripting. Reported by Andrea Santese and Rodrigo.
- Keep away from disclosing a full file path when a add fails. Reported by Jakub Galczyk.
Download WordPress 3.5.2 or replace now from the Dashboard → Updates menu in your website’s admin space.
Additionally: WordPress 3.6 Beta 4: If you’re testing WordPress 3.6, please observe that WordPress 3.6 Beta 4 (zip) contains fixes for these safety points.