WordPress 3.5.2 update fixes security issues

Martin Brinkmann
Jun 22, 2013
Updated • Jun 22, 2013

Ghacks is running on WordPress and whenever the software gets updated, I not only update the blog but also write about it here on the site. The update notifications in the admin dashboard are helpful in this regard as they inform webmasters about updates directly. That's however only the case if you open the dashboard regularly. If you update your blog once a week, you may not notice that an update is available directly but only after a couple of days.

WordPress 3.5.2 is a maintenance and security release that fixes several issues in the blogging software.  The development team suggests strongly that site admins and webmasters update their blogs immediately to the new version.

As far as security fixes are concerned, the following have been resolved in WordPress 3.5.2.

  • Server-side request forgery attacks that could provide attackers with access to the site.
  • Contributors can no longer publish posts improperly.
  • The SWFUpload library has been updated that fixes several cross-site scripting vulnerabilities.
  • Blocking denial of service attacks against sites that use password protected posts.
  • An update to TinyMCE fixing a cross-site scripting vulnerability.
  • Multiple cross-site scripting vulnerability fixes.
  • Full path not disclosed when uploads fail.

Another 12 maintenance related issues have been fixed in the new release.  You can check them out here on the WordPress tracker.

Updates should go through without issues on most blogs. I have updated half a dozen blogs so far and none acted up weirdly after the update. All plugins, the theme and the site's functionality worked just like before.

While that has been the case, it is still recommended to make a backup of your blog before you apply the update so that you can roll it back if you run into issues.

You can apply the update directly from the admin dashboard if your blog has been configured this way, or download it from the official website instead to update the blog manually instead.


Previous Post: «
Next Post: «


  1. blessy said on June 24, 2013 at 7:46 am

    I also have some issues while updating to 3.5.2.How can I revert back….

  2. J.K. said on June 22, 2013 at 11:49 pm

    Updated to 3.5.2 and now my tables created on my website have disappeared. Can anyone help? To my detriment, I didn’t create a back up before I updated.

  3. Rudd said on June 22, 2013 at 12:06 pm

    Just updated, looks like there were many security issues with the previous vversion. Can’t wait for 3.6 though.

  4. ilev said on June 22, 2013 at 4:02 am

    In June 2013, Checkmarx’s research labs ran multiple security scans against the source code of the most popular WordPress plugins. The result? More than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection. In total, 8 million vulnerable WordPress plugins were downloaded…..

    The Security State of WordPress’ Top 50 Plugins


    1. Karl J. Gephart said on June 22, 2013 at 2:27 pm

      Nice report, thanks for the info! I remember many years ago, I had a WP site that was pharma-hacked, never could get the site back to page 1 of Google–page 2 was it after years of work. Not even so much the loss of the content (before I took backing up seriously), but the SEO.

    2. Martin Brinkmann said on June 22, 2013 at 4:32 am

      I saw that too, quite troubling

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.