WordPress 3.4.2 Released – Maintenance and Security Update!!

As many know, today the WordPress team released a new patch for WordPress 3.4.2, and have titled it a maintenance and security release.

WordPress 3.4.2 Update

By now many have regurgitated the same post in a number of different blogs and forums pushing the word out, that’s great.

It took us a bit longer because we wanted to better understand the specifics of the security release. Here is what we found:

The security release was compromised of three issues:

The Security Fixes

Two Role Escalations

  • Multisite – Administrator role was able to activate a plugin on the network that was not active, which in turn is a form of role escalation, allowing the role to function as super administrator. This one was well documented in Ticket 21187.
  • AtomPub – Could be used to hypothetically publish a post with the contributor role. Not documented in tickets.

One Patch Update

  • Unfiltered_html patch from 3.4.1 – Updated with a more effective and long-term solution. Find more details in our last patch release post.

Although role escalation is not for the faint hearted, if a vulnerability assessment were being conducted these would be categorized as low risk. This is not to say they are not important, but perspective is always good.

If you read our last post on WordPress Security you see how prevalent the issue of role escalation is today, not just in core, but in themes and plugins alike.

Reminder to update responsibly. If in doubt be sure to read our guide on updating safely, last thing any one wants is for you to blow up your site.

About Tony Perez

Tony is the Co-Founder / CEO at Sucuri. His passion lies in educating and bringing awareness about online threats to business owners. His passions revolve around understanding the psychology of bad actors, the impacts and havoc hacks have on website owners, and thinking through the evolution of attacks. You can find his personal thoughts on security at PerezBox and you can follow him on Twitter at @perezbox.