WordPress has fixed a number of security vulnerabilities, including one that could lead to remote code execution on vulnerable installations. WordPress 3.6.1 is the new, updated release that contains the fixes and also includes some non-security bug fixes and stability changes.
The most serious security issue fixed in WordPress 3.6.1 is a remote-code execution vulnerability related to the way that the software handles certain PHP objects. The vulnerability was discovered by a researcher named Tom Van Goethem, who reported it to WordPress in April. It took five months for the fix to appear in a WordPress release. The bug has to do with the way that WordPress deals with some serialized input.
WordPress says the change in 3.6.1 will “Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution.” The description of the vulnerability from Van Goethem is a bit more detailed.
“Another type of vulnerability that an attacker can exploit when his data is run through the
unserialize() function, is “PHP Object Injection”. In this case, object-types are unserialized, allowing the attacker to set all the properties of the object to his choice. When the object’s methods are called, this could have some effect (e.g. removing some file), and as the attacker is able to choose the properties of the object, he might be able to remove a file of his choice,” Van Goethem wrote in an explanation of the bug.
“Do not pass untrusted user input to unserialize(). Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this. Use a safe, standard data interchange format such as JSON (via json_decode() and json_encode()) if you need to pass serialized data to the user.”
In addition to the PHP vulnerability, WordPress 3.6.1 also includes fixes for two other security vulnerabilities:
- Link Injection / Open Redirect: Fix insufficient input validation that could result in redirecting or leading a user to another website.
- Privilege Escalation: Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user.
WordPress also made a change to the software that is designed to make cross-site scripting attacks on WP installations more difficult. The change modifies “security restrictions around file uploads to mitigate the potential for cross-site scripting. The extensions .swf and .exe are no longer allowed by default, and .htm and .html are only allowed if the user has the ability to use unfiltered HTML.”