A new version of the popular blogging software WordPress has been released a minute ago. The update addresses several security issues in the platform that have been reported by third parties to the WordPress development team.
WordPress 3.6.1 fixes three security issues according to the WordPress Codex website. The first addresses a remote code execution that can be triggered by unsafe PHP de-serialization. The second may prevent users with an author role from being able to create a post "written by" another user, and the third fixes insufficient input validations that could result in users being redirected to another website.
In addition to that, additional security hardening was implemented by the WordPress team. This includes updated security restrictions around file updates to mitigate cross-site scripting attacks. Writers may notice that WordPress does not allow .swf or .exe files by default anymore, and that .htm or .html files are only allowed to be uploaded if the user who uploads the files has permissions to use unfiltered HTML on the site.
When you try to upload a blocked file type after the update you will receive the following error message during the upload process:
Sorry, this file type is not permitted for security reasons.
A solution to whitelist file extensions so that you can upload them again using WordPress has been posted here. Note that the article has not been updated since 2007, and that things may have changed since then.
Instead of editing the code manually, you may prefer to use a plugin such as Manage Upload Types which you can use for exactly the same purpose.
WordPress admins should test and then update their blogs as soon as possible to secure it from potential attacks that target the vulnerabilities patched in version 3.6.1.
It is as always suggested to create a backup of the blog first before you run the update script directly from the admin dashboard, or update the blog manually via ftp or other means of connection.
While it is unlikely that you will notice any side-effects or issues, it is always better to be safe than sorry.
I have updated five blogs so far with the new patch and all are working without any issues.
WordPress 3.6.1 is a security update for self-hosted WordPress blogs that fixes three vulnerabilities and hardens the security of the blog further. The core issue that writers may run into afterwards is that some file extension that they were able to upload previously are not allowed to be uploaded anymore. But that can be resolved easily by the admin of the site.
If you like our content, and would like to help, please consider making a contribution: