Recently, new vulnerabilities affecting WordPress have been identified.
All customers who use WordPress are advised to upgrade to the latest version (3.5.2) immediately. You can view our full walk-through guide on Updating WordPress here in our Support Center.
Below is a list and explanation of the vulnerabilities:
- CVE-2013-2173
A denial of service was found in the way wordpress performs hash computation when checking password for protected posts. An attacker supplying carefully crafted input as a password could make the platform use excessive CPU usage - CVE-2013-2199
Multiple server-side requests forgery (SSRF) vulnerabilities were found in the HTTP API. This is related to CVE-2013-0235, which was specific to SSRF in pingback requests and was fixed in 3.5.1 - CVE-2013-2201
Multiple cross-side scripting (XSS) vulnerabilities due to badly escaped input were found in the media files and plugins upload forms - CVE-2013-2202
XML External Entity Injection (XXE) vulnerability via oEmbed responses - CVE-2013-2203
A Full path disclosure (FPD) was found in the file upload mechanism. If the upload directory is not writable, the error message returned includes the full directory path - CVE-2013-2203
A Full path disclosure (FPD) was found in the file upload mechanism. If the upload directory is not writable, the error message returned includes the full directory path - CVE-2013-2204
Content spoofing via flash applet in the embedded tinyMCE media plugin - CVE-2013-2205
Cross-domain XSS in the embedded SWFupload uploader
You can read the Official WordPress Release notes regarding this latest update on WordPress.org.
