WordPress 3.4.2 Released – Maintenance and Security Update!!

As many know, today the WordPress team released a new patch for WordPress 3.4.2, and have titled it a maintenance and security release.

WordPress 3.4.2 Update

By now many have regurgitated the same post in a number of different blogs and forums pushing the word out, that’s great.

It took us a bit longer because we wanted to better understand the specifics of the security release. Here is what we found:

The security release was compromised of three issues:

The Security Fixes


Two Role Escalations

  • Multisite – Administrator role was able to activate a plugin on the network that was not active, which in turn is a form of role escalation, allowing the role to function as super administrator. This one was well documented in Ticket 21187.
  • AtomPub – Could be used to hypothetically publish a post with the contributor role. Not documented in tickets.

One Patch Update

  • Unfiltered_html patch from 3.4.1 – Updated with a more effective and long-term solution. Find more details in our last patch release post.

Although role escalation is not for the faint hearted, if a vulnerability assessment were being conducted these would be categorized as low risk. This is not to say they are not important, but perspective is always good.


If you read our last post on WordPress Security you see how prevalent the issue of role escalation is today, not just in core, but in themes and plugins alike.

Reminder to update responsibly. If in doubt be sure to read our guide on updating safely, last thing any one wants is for you to blow up your site.

Scan your website for free:
About Tony Perez

Tony is the Co-Founder / CEO at Sucuri. He shares a deep passion for Information Security, Business and Brazilian JiuJitsu. He approaches the business the same as he trains BJJ, one move at a time and gently. You can follow him on twitter: @perezbox.