WordPress 2.5.1 Release Fixes Several Vulnerabilities

Posted by Philipp
April 28, 2008

The First Security- & Bugfix Release of the latest WordPress branch is now available. WordPress do not mention the vulnerabilities fixed on the download page, but BlogSec recommended 2.5 users upgrade ASAP.

Of all the bugs fixed, two fairly critical security issues were fixed. A Cross-Site Scripting vulnerability and the WP 2.5 Cookie Integrity Protection Vulnerability, discovered by Steven J. Murdoch.

The latest WordPress 2.5.1 can be downloaded from WordPress.

WordPress discuss the vulnerabilities here and as part of their development feed.

Advisories, News, WordPress

Random Posts

If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Comments
Comment by DK on April 28, 2008 @ 11:55 am

Phil, should we add this to our When to Upgrade article? ;)

Comment by .mario on April 28, 2008 @ 4:17 pm

In my humble opinion the approach to use filtering and sanitation on demand will never work for fast growing web applications.

What WordPress needs the opposite approach – filter everything and exclude the values you are sure to be unable to cause trouble.

Comment by Chris Eng on April 29, 2008 @ 2:26 am

More detailed writeup of the cookie integrity vulnerability here, for anyone interested: http://www.veracode.com/blog/?p=90

Comment by TheShadow on April 30, 2008 @ 10:59 pm

Do you advice upgrading from 2.3.3 to 2.5.1 ? is 2.5.1 fully secure like 2.3.3..

Comment by DK on May 1, 2008 @ 1:48 pm

I will probably wait for 2.5.2/3 before I upgrade. It really depends on the next round of fixes.

Leave a comment

(required)

(required)