Yesterday WordPress released version 3.5.2 of its famous blogging platform, patching many WordPress 3.5.1 vulnerabilities and exploits, but is it really worth the hassle of upgrading?
I mean we all have better things to do at the weekend than go around fixing WordPress. Don’t even get started on those Monday mornings either!
Well first off – upgrading in WordPress is as simple as clicking a few links that are presented to you when you sign in. No tricky passwords or FTP credentials to remember, no absolute paths you must drag up from the depths of your memory… no hassle.
How about time?
How long does it take to patch WordPress to 3.5.2?
Well I managed to patch 2 personnel and 2 professional blogs, so four separate WordPress sites in less that 2 minutes. That includes downloading the update files too (which is also handled automatically – so fear not). No more WordPress 3.5.1 exploits thank you!
Is WordPress 3.5.2 worth downloading?
Being able to patch sites so quickly must mean that the 3.5.2 update is tiny – but is it important?
If you don’t want your private data kept private, your elegant blog kept pristine and your site kept online… then no it’s not that important.
However if you want to keep your readers happy, whether that be a dozen that visit a week, or thousands that visit every day, you’ll want this latest security patch.
Read on to see what has been hardened.
WordPress 3.5.2 – security update
You thought your blog was nice and secure while you slept in your bed? Needless to say no matter how prevalent you are on the internet, eventually the bad guys will hit your site for weaknesses. This was seen earlier this year in a massive rise of WP attacks, which I talk about here on a post about suspicious WP activity.
Rest assured that YOU aren’t being attacked, your site just happened to fall upon their radar and they’ll try all the doors and windows before moving on to the next site. You just have to make sure those entryways are shut when they come knocking.
Whats patched? WordPress 3.5.2 Changelog
WordPress raised, fixed and released the following bunch of CVE numbers. Don’t know what a CVE number is? Well it’s basically a reference to a database of bugs held at the ‘Common Vulnerabilities and Exposure’ website, handled by MITRE. Basically… if its got a CVE number someone has exposed a threat (on any platform, not just WordPress), and someone is likely to be attempting to fix it.
‘Cos someone out there is sure to be trying to exploit it.
Here’s the changelog for WordPress 3.5.2
Server-Side Request Forgery (SSRF) is when an attacker is able to compromise your site and turn it against the other sites/hardware/systems that it usually communicates with. via the HTTP API
Privilege Escalation is exactly what it sounds like. Computer systems work on limiting what people can do, so anyone who can circumnavigate these limits can cause utter havoc. CVE 2013-2200 exposed the ability for contributors and users to publish posts and re-assign article ownership when they shouldn’t be allowed.
Denial of Service (DoS) attack could have occurred by an attacker setting up various toxic cookies, taking the site offline via the Post Password Cookies process. More can be read at the CVE site for WordPress vulnerability 2013-2173.
CVE-2013-2201 and CVE-2013-2205
Cross-Site Scripting (XSS) occurs when an attacker is able to run code on your site from another machine or site, attacking YOUR users from YOUR site. Harsh! CVE 2013-2201 and 2205 tackled this for bugs found in the uploading media processes.
Full Path Disclosure (FPD) could have previously occurred during a file upload on the system. Although not dangerous in itself, this extra information grants attackers move ground for them to work on. If in doubt – always limit information exposure.
Patch now – before its too late!
Okay that title may be a little dramatic, but it took me seconds to patch this blog for those exploits listed above. If someone had cracked the site and taken it offline, it would have been hours of restoring, checking and double checking the code. Knowing that people are exploiting WordPress 3.5.1 vulnerabilities – do you really want to wait?
Unless you’ve got a severely tweaked version of WordPress running your blog, upgrade now.
Once you’ve patched it to 3.5.2, check out this article on hardening your WordPress install even more so.
– Happy blogging