WordPress 2.5.1 Release Fixes Several Vulnerabilities
Filed Under (Advisories, News, WordPress) by Philipp on 28 April 2008

The First Security- & Bugfix Release of the latest WordPress branch is now available. WordPress do not mention the vulnerabilities fixed on the download page, but BlogSec recommended 2.5 users upgrade ASAP.

Of all the bugs fixed, two fairly critical security issues were fixed. A Cross-Site Scripting vulnerability and the WP 2.5 Cookie Integrity Protection Vulnerability, discovered by Steven J. Murdoch.

The latest WordPress 2.5.1 can be downloaded from WordPress.

WordPress discuss the vulnerabilities here and as part of their development feed.

   
Enjoy the article? Please take a second to: Digg it! | StumbleUpon it!

Read and Contribute to BlogSec News!

Comments

DK on 28 April, 2008 at 11:55 am #

Phil, should we add this to our When to Upgrade article? ;)


.mario on 28 April, 2008 at 4:17 pm #

In my humble opinion the approach to use filtering and sanitation on demand will never work for fast growing web applications.

What WordPress needs the opposite approach - filter everything and exclude the values you are sure to be unable to cause trouble.


Chris Eng on 29 April, 2008 at 2:26 am #

More detailed writeup of the cookie integrity vulnerability here, for anyone interested: http://www.veracode.com/blog/?p=90


TheShadow on 30 April, 2008 at 10:59 pm #

Do you advice upgrading from 2.3.3 to 2.5.1 ? is 2.5.1 fully secure like 2.3.3..


DK on 1 May, 2008 at 1:48 pm #

I will probably wait for 2.5.2/3 before I upgrade. It really depends on the next round of fixes.


Comment
Name:
Email:
Website:
Message: