• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

WordPress 3.5.2 Security and Maintenance Release

June 21, 2013Dre Armeda

FacebookTwitterSubscribe

The WordPress team just pushed out a new version of WordPress (3.5.2) that has some security bugs fixed. Straight from their release post, these are the security changes:

  1. Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site.
  2. Disallow contributors from improperly publishing posts, reported by Konstantin Kovshenin, or reassigning the postโ€™s authorship, reported by Luke Bryan.
  3. An update to the SWFUpload external library to fix cross-site scripting vulnerabilities. Reported by mala and Szymon Gruszecki.
  4. Prevention of a denial of service attack, affecting sites using password-protected posts.
  5. An update to an external TinyMCE library to fix a cross-site scripting vulnerability. Reported by Wan Ikram.
  6. Multiple fixes for cross-site scripting. Reported by Andrea Santese and Rodrigo.
  7. Avoid disclosing a full file path when a upload fails. Reported by Jakub Galczyk.


One of the bigger actions from this release and the disclosure of the SWFUpload external library vulnerabilities in general is the announcement of a secure SWFUpload fork by the WordPress Core team.

The WordPress security team has officially forked the long-abandoned SWFUpload project and is strongly encouraging all web developers who use SWFUpload to update.

The team goes on to say they do not condone the use of abandonware, but they wish to make the web a better place by ensuring that developers have access to a secure version of SWFUpload.

They also encourage you to report any vulnerabilities found in the fork.

Quick Diff List

There weren’t many changes in this release, but these are all the modified files:


Files wordpress-3.5.1/readme.html and wordpress-3.5.2/readme.html differ
Files wordpress-3.5.1/wp-admin/about.php and wordpress-3.5.2/wp-admin/about.php differ
Files wordpress-3.5.1/wp-admin/edit-form-advanced.php and wordpress-3.5.2/wp-admin/edit-form-advanced.php differ
Files wordpress-3.5.1/wp-admin/includes/class-wp-importer.php and wordpress-3.5.2/wp-admin/includes/class-wp-importer.php differ
Files wordpress-3.5.1/wp-admin/includes/class-wp-upgrader.php and wordpress-3.5.2/wp-admin/includes/class-wp-upgrader.php differ
Files wordpress-3.5.1/wp-admin/includes/file.php and wordpress-3.5.2/wp-admin/includes/file.php differ
Files wordpress-3.5.1/wp-admin/includes/media.php and wordpress-3.5.2/wp-admin/includes/media.php differ
Files wordpress-3.5.1/wp-admin/includes/post.php and wordpress-3.5.2/wp-admin/includes/post.php differ
Files wordpress-3.5.1/wp-admin/includes/schema.php and wordpress-3.5.2/wp-admin/includes/schema.php differ
Files wordpress-3.5.1/wp-admin/includes/update-core.php and wordpress-3.5.2/wp-admin/includes/update-core.php differ
Files wordpress-3.5.1/wp-admin/includes/upgrade.php and wordpress-3.5.2/wp-admin/includes/upgrade.php differ
Files wordpress-3.5.1/wp-admin/update.php and wordpress-3.5.2/wp-admin/update.php differ
Files wordpress-3.5.1/wp-content/plugins/akismet/admin.php and wordpress-3.5.2/wp-content/plugins/akismet/admin.php differ
Files wordpress-3.5.1/wp-content/plugins/akismet/akismet.css and wordpress-3.5.2/wp-content/plugins/akismet/akismet.css differ
Files wordpress-3.5.1/wp-content/plugins/akismet/akismet.js and wordpress-3.5.2/wp-content/plugins/akismet/akismet.js differ
Files wordpress-3.5.1/wp-content/plugins/akismet/akismet.php and wordpress-3.5.2/wp-content/plugins/akismet/akismet.php differ
Files wordpress-3.5.1/wp-content/plugins/akismet/.htaccess and wordpress-3.5.2/wp-content/plugins/akismet/.htaccess differ
Files wordpress-3.5.1/wp-content/plugins/akismet/readme.txt and wordpress-3.5.2/wp-content/plugins/akismet/readme.txt differ
Files wordpress-3.5.1/wp-content/themes/twentyeleven/languages/twentyeleven.pot and wordpress-3.5.2/wp-content/themes/twentyeleven/languages/twentyeleven.pot differ
Files wordpress-3.5.1/wp-content/themes/twentytwelve/languages/twentytwelve.pot and wordpress-3.5.2/wp-content/themes/twentytwelve/languages/twentytwelve.pot differ
Files wordpress-3.5.1/wp-includes/class-feed.php and wordpress-3.5.2/wp-includes/class-feed.php differ
Files wordpress-3.5.1/wp-includes/class-http.php and wordpress-3.5.2/wp-includes/class-http.php differ
Files wordpress-3.5.1/wp-includes/class-oembed.php and wordpress-3.5.2/wp-includes/class-oembed.php differ
Files wordpress-3.5.1/wp-includes/class-phpass.php and wordpress-3.5.2/wp-includes/class-phpass.php differ
Files wordpress-3.5.1/wp-includes/class-wp-admin-bar.php and wordpress-3.5.2/wp-includes/class-wp-admin-bar.php differ
Files wordpress-3.5.1/wp-includes/class-wp-xmlrpc-server.php and wordpress-3.5.2/wp-includes/class-wp-xmlrpc-server.php differ
Files wordpress-3.5.1/wp-includes/comment.php and wordpress-3.5.2/wp-includes/comment.php differ
Files wordpress-3.5.1/wp-includes/deprecated.php and wordpress-3.5.2/wp-includes/deprecated.php differ
Files wordpress-3.5.1/wp-includes/formatting.php and wordpress-3.5.2/wp-includes/formatting.php differ
Files wordpress-3.5.1/wp-includes/functions.php and wordpress-3.5.2/wp-includes/functions.php differ
Files wordpress-3.5.1/wp-includes/http.php and wordpress-3.5.2/wp-includes/http.php differ
Files wordpress-3.5.1/wp-includes/js/media-editor.js and wordpress-3.5.2/wp-includes/js/media-editor.js differ
Files wordpress-3.5.1/wp-includes/js/media-editor.min.js and wordpress-3.5.2/wp-includes/js/media-editor.min.js differ
Files wordpress-3.5.1/wp-includes/js/plupload/handlers.js and wordpress-3.5.2/wp-includes/js/plupload/handlers.js differ
Files wordpress-3.5.1/wp-includes/js/plupload/handlers.min.js and wordpress-3.5.2/wp-includes/js/plupload/handlers.min.js differ
Files wordpress-3.5.1/wp-includes/js/swfupload/handlers.js and wordpress-3.5.2/wp-includes/js/swfupload/handlers.js differ
Files wordpress-3.5.1/wp-includes/js/swfupload/handlers.min.js and wordpress-3.5.2/wp-includes/js/swfupload/handlers.min.js differ
Only in wordpress-3.5.1/wp-includes/js/swfupload: swfupload-all.js
Files wordpress-3.5.1/wp-includes/js/swfupload/swfupload.swf and wordpress-3.5.2/wp-includes/js/swfupload/swfupload.swf differ
Files wordpress-3.5.1/wp-includes/js/tinymce/plugins/media/moxieplayer.swf and wordpress-3.5.2/wp-includes/js/tinymce/plugins/media/moxieplayer.swf differ
Files wordpress-3.5.1/wp-includes/js/tinymce/tiny_mce.js and wordpress-3.5.2/wp-includes/js/tinymce/tiny_mce.js differ
Files wordpress-3.5.1/wp-includes/js/tinymce/wp-tinymce.js.gz and wordpress-3.5.2/wp-includes/js/tinymce/wp-tinymce.js.gz differ
Files wordpress-3.5.1/wp-includes/media-template.php and wordpress-3.5.2/wp-includes/media-template.php differ
Files wordpress-3.5.1/wp-includes/pluggable.php and wordpress-3.5.2/wp-includes/pluggable.php differ
Files wordpress-3.5.1/wp-includes/post.php and wordpress-3.5.2/wp-includes/post.php differ
Files wordpress-3.5.1/wp-includes/post-template.php and wordpress-3.5.2/wp-includes/post-template.php differ
Files wordpress-3.5.1/wp-includes/rss.php and wordpress-3.5.2/wp-includes/rss.php differ
Files wordpress-3.5.1/wp-includes/script-loader.php and wordpress-3.5.2/wp-includes/script-loader.php differ
Files wordpress-3.5.1/wp-includes/user.php and wordpress-3.5.2/wp-includes/user.php differ
Files wordpress-3.5.1/wp-includes/version.php and wordpress-3.5.2/wp-includes/version.php differ
Files wordpress-3.5.1/wp-includes/wp-db.php and wordpress-3.5.2/wp-includes/wp-db.php differ
Files wordpress-3.5.1/wp-login.php and wordpress-3.5.2/wp-login.php differ

Please make sure to update as soon as you can, it’s not super awesome to be running around with old and insecure versions of any software ๐Ÿ˜€

FacebookTwitterSubscribe

Categories: Security Advisory, WordPress Security

About Dre Armeda

Dre Armeda was Sucuriโ€™s founding CEO and Co-Founder who helped start up the company in 2010. Today, Dre is Sr. Director of Technical Program Management and serves as Head of Technical Program Management (TPM) for GoDaddy's Partners Business. As head of TPM, Dre leads the PMO and Program Delivery Teams, ultimately driving all the program management functions and supporting our partners. When Dre isn't executing strategic initiatives at GoDaddy, you can find him on the mat training in Jiu Jitsu as a Carlson Gracie brown belt. Connect with Dre on Twitter.

Reader Interactions

Comments

  1. Mark de Scande

    June 21, 2013

    Cool Post just updated all 200 sites i manage ๐Ÿ™‚ super easy with my super host

  2. AIDY

    June 21, 2013

    Thanks guys, awesome as always.

  3. Ron Strauss

    June 21, 2013

    Harleys, wordpress and web design…LOVE THEM ALL!

    • Andres Armeda

      June 21, 2013

      About to go wash my Street Glide ๐Ÿ™‚

  4. Andreina

    June 21, 2013

    Thanks for the advice! Seems there is a error with the link to the release note ->
    hhttp://wordpress.org/news/2013/06/wordpress-3-5-2/

    ๐Ÿ™‚

    • Andres Armeda

      June 21, 2013

      Fixed ๐Ÿ™‚

  5. Richard May

    June 21, 2013

    Hey Dre, Updated, but now can’t log into my admin panel. Login page has disappeared.

    • Andres Armeda

      June 21, 2013

      It is a minor release and should not have affected your admin area. Please check out the WordPress forums to see if anyone else is having issues. Most likely it’s a plugin conflict.

      • Caleb

        June 21, 2013

        I have had the same issue on a number of sites. I logged into FTP and manually deleted and then replaced the wp-admin folder. It worked for all my sites, so I suggest you try that.

        • Pete

          July 9, 2013

          Worked for me –Thanks Caleb

  6. Jay Castillo

    June 21, 2013

    Thank you Dre for keeping us all informed, I first learned about this update here. Now proceeding with deploying the update to my test sites before the live ones.

  7. Cathy Tibbles

    June 22, 2013

    Wonderful overview in layman’s terms. Thanks! ๐Ÿ™‚

  8. Minecraft Games

    July 1, 2013

    I am glad to catch idea from your article. It has
    information I have been searching for a long time. Thanks so much.

    • Adonna

      July 4, 2013

      Hmm. I smell a comment spammer. Click on this commenter’s name and look at the other comments that they have left. They are ALL almost identical. :-/

  9. ADNAN FASIH

    July 12, 2013

    After the update of WP 3.5.2, admin panel is disappearing. I had to manually delete and replace the wp-admin folder from FTP to fix it. Is there any way to avoid this error?

    Any idea when WP 3.6 is releasing?

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.