As many know, today the WordPress team released a new patch for WordPress 3.4.2, and have titled it a maintenance and security release.
By now many have regurgitated the same post in a number of different blogs and forums pushing the word out, that’s great.
It took us a bit longer because we wanted to better understand the specifics of the security release. Here is what we found:
The security release was compromised of three issues:
The Security Fixes
Two Role Escalations
- Multisite – Administrator role was able to activate a plugin on the network that was not active, which in turn is a form of role escalation, allowing the role to function as super administrator. This one was well documented in Ticket 21187.
- AtomPub – Could be used to hypothetically publish a post with the contributor role. Not documented in tickets.
One Patch Update
- Unfiltered_html patch from 3.4.1 – Updated with a more effective and long-term solution. Find more details in our last patch release post.
Although role escalation is not for the faint hearted, if a vulnerability assessment were being conducted these would be categorized as low risk. This is not to say they are not important, but perspective is always good.
If you read our last post on WordPress Security you see how prevalent the issue of role escalation is today, not just in core, but in themes and plugins alike.
Reminder to update responsibly. If in doubt be sure to read our guide on updating safely, last thing any one wants is for you to blow up your site.