WordPress, the most popular blogging and content management system has just released a security update. The update or maintenance release will replace the current 3.6 to 3.6.1, fixing 3 security vulnerabilities. One of the security vulnerabilities is a Remote Code Execution reported by a Belgian web application security researcher.
Fortunately, he hasn’t provided the complete disclosure stating:
Due to ethical considerations, I will not disclose a Proof of Concept of this exploit at this time, as there are too many vulnerable WordPress installations out there.
The other two vulnerabilities are:
- Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
- Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.
More information can be located at the link below: