WordPress 3.6.1 Released – Includes Security Fixes

The WordPress team just pushed out a new version of WordPress. WordPress 3.6.1 is a maintenance release that includes some security bug fixes. Straight from their release post, these are the security changes:

  1. Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem.
  2. Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
  3. Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.

We asked WordPress Lead Developer, Andrew Nacin for a bit of clarity around the author role issue that was fixed, here’s what Andrew said:

A user can reassign the authorship of a post to another user, even when they are not allowed to do so. (For example, the user is an Author and not an Editor.) The user must already be allowed to edit content — and specifically edit that post. They also then lose the ability to edit that post, but this “forging” could still cause a compromised account or malicious user to post as another user.

In closing the conversation with Andrew, he remarked that WordPress is not vulnerable to the remote code execution issue by default:

I’ll emphasize that WordPress is *NOT* exploitable to the RCE out of the box, despite it being a doozy. It requires a vulnerable object (which core does not have), as well as a vulnerable character set. It is a “perfect storm” vulnerability.


The following note was also added to the official release post and it talks to some adjustments made around file uploads that restrict potential XSS issues:

Additionally, we’ve adjusted security restrictions around file uploads to mitigate the potential for cross-site scripting.

One of those restrictions included the removal of some upload types, to include .swf, and .exe. Also removed was the ability to upload .html and .htm files if the user doesn’t have the ability to post unfiltered HTML. This makes sense really, and seems a little silly to allow Authors the ability to upload an .html file, but not allow them to use < script > for example.

Quick Diff List

There weren’t a significant amount of changes for this maintenance release. Below is a quick reference of files changed, and a list of the actual changes from the branch logs.

Files Changed
readme.html
wp-admin/about.php
wp-admin/nav-menus.php
wp-admin/includes/post.php
wp-admin/includes/update-core.php
wp-admin/includes/template.php
wp-admin/network/upgrade.php
wp-admin/js/common.js
wp-includes/pluggable.php
wp-includes/comment-template.php
wp-includes/post-template.php
wp-includes/version.php
wp-includes/theme.php
wp-includes/functions.php
wp-includes/ms-functions.php
wp-includes/link-template.php
wp-includes/class-http.php
wp-includes/js/jquery/jquery.js
wp-includes/js/tinymce/plugins/wordpress/editor_plugin.js
wp-includes/js/tinymce/plugins/wordpress/editor_plugin_src.js
wp-includes/js/tinymce/wp-tinymce.js.gz
Change Log
@25345 Avoid error in ms-files.php after [25317] (merged as [25322]). Merges …
@25341 Avoid string offset notices in [25319] (merged as [25324]). Merges [25340] …
@25339 Improve clarity and speed of [25320] (merged as [25325]). Merges [25338] …
@25336 Update TinyMCE for [25187]. see #25131.
@25326 3.6.1-RC1
@25325 Loose validation for is_serialized() in maybe_serialize(). Merges [25320] …
@25324 Better protocol validation in set_url_scheme(). Merges [25319] to 3.6.
@25323 Validate referrers to prevent off-domain redirects. Merges [25318] to 3.6.
@25322 Tighten allowed upload file types. Merges [25317] to 3.6.
@25321 Ignore user ID post data. Merges [25316] to 3.6.
@25247 3.6.1-beta1.
@25236 Fix 'html5' theme support. * Merge, rather than replace, on second add. …
@25233 Remove display of 'Previously restored by' in the revisions meta box as it …
@25232 Nav menus: Allow assigning a new menu to an existing location when no …
@25198 Case sensitivity for is_email_address_unsafe(). Merges [25197] to the 3.6 …
@25192 Hide 'Database Upgrade Required' on admin/network/upgrade.php when you are …
@25187 TinyMCE: fix editor focus issues after ontouchstart event on the parent …
@25185 Fix menu folding on new installs. fixes #24921 for 3.6.
@25184 Revert [23307] so new users in multisite are not automatically subscribers …
@25152 Make sure $args is an array before treating it as such. fixes #25151 for …
@25118 Avoid displaying multiple instances of the same feature pointers on a …
@25074 The 3.6 branch is 3.6.1-alpha.
@25073 Remove sourceMappingURL from jquery.min.js. Merges [25072] to the 3.6 …
@25052 WP_HTTP: Curl: When using Stream-to-file on servers using …
@25014 Remove zero-byte files that were meant to be deleted in [23446]. see …

Please make sure to update as soon as you can, it’s not super awesome to be running around with old and insecure versions of any software :D

Scan your website for free:
About Tony Perez

Tony is the Co-Founder / CEO at Sucuri. He shares a deep passion for Information Security, Business and Brazilian JiuJitsu. He approaches the business the same as he trains BJJ, one move at a time and gently. You can follow him on twitter: @perezbox.

  • Carlos García

    When I click on the auto-update button it stays in the same 3.6 version. I’m using and updating WordPress in spanish.

  • Adeel Sami

    Thank you so much Dre for the update, just saw it on FB and upgraded my WP version to 3.6.1.

  • http://www.markdescande.com/ Mark de Scande

    About 30 full sites updated and then i got wordpress blocked on our server oops, yes that can happen

    Overall here is some great advice if there is a upgrade button then press it..

    The worst part of all these upgrades is customers just don’t give a crap and they don’t even give a thank you or job well done and then the best part is they move away from you to a new and “better” host and they get hacked to pieces, and it is then you problem “you build the site in the first place” well why did you not upgrade in the first place then you would have never been hacked lol

    So you cool cats a Sucuri keep up the great work i always read you post and keep myself informed, even if there is no thank you from any of the customers, from me to you guys is a BIG thank you :)

    Thank you Kindly
    Mark de Scande

  • http://www.parafriv.net/ Para Friv

    Thank you so much Dre for the update. hi

  • http://www.frivpara.net/ Friv Para

    wow, Thanks, I will share with my friends.

  • Kuntal Mukherjee

    Mr. Dre Armeda at first i have to give you many many thanks for presenting such a good content. Though i am new player in blogging field but gradually i become a fan of your writing skills and of course presentation style…..whooooao… pls continue write for us and make the web safer .

  • http://www.getsgad.com/ Rama Singh

    Sincere thanks for this update. Now WordPress seems to be even more safer place in the web and they have reduced their vulnerability in their page a lot.

  • http://www.juegos2.info/ Juegos 2

    This information I was looking everywhere but can not, how do you get them on? it is very useful for me, I need it for work, boss assigned me. thank you for sharing