A new version of the WordPress software is available, and the update includes fixes for a number of security vulnerabilities, including a bug in components that are used to upload media to WordPress sites. Version 3.3.2 also has some other fixes for cross-site scripting and other flaws.
WordPress is used widely for both personal blogs as well as somewhat larger sites, and it has become a frequent target for attackers in a variety of campaigns. WordPress sites often are used in mass-injection attacks in which attackers compromise those sites and use them as platforms for infecting visitors through drive-by downloads.
Among the vulnerabilities fixed in version 3.3.2 of WordPress are:
- Plupload (version 1.5.4), which WordPress uses for uploading media.
- SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
- SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.
In addition to those flaws, WordPress’s developers also included patches for a pair of XSS bugs. One of the XSS flaws can be exploited when URLs are made clickable on WordPress pages, and the other lies in the way that redirects are handled after users post comments using older browsers.
There also is a fix for a privilege escalation vulnerability that can crop up in some circumstances when a site administrator could deactivate network-wide plugins when running a WordPress network.
