114 replies to this topic

[AplusWebMaster]

FYI...

WordPress v3.1...
- http://wordpress.org...11/02/threeone/
"... fourteenth release of WordPress is now available... Version 3.1 is available for download*, or you can update from within your dashboard..."

* http://wordpress.org/download/

- http://codex.wordpre...g/Changelog/3.1

- http://web.nvd.nist....d=CVE-2011-0701
Last revised: 03/15/2011

[AplusWebMaster]

FYI...

WordPress v3.1.1 released
- http://wordpress.org/download/
April 5, 2011 - "The latest stable release of WordPress (Version 3.1.1) is available..."

- http://wordpress.org...ordpress-3-1-1/
April 5, 2011 - "... This maintenance and security release fixes almost thirty issues* in 3.1... We suggest you update to 3.1.1 promptly. Download 3.1.1 or update automatically from the Dashboard > Updates menu in your site’s admin area."

* http://core.trac.wor...;order=priority
___

- http://www.securityt....com/id/1025299
Apr 6 2011

- http://secunia.com/advisories/44038/
Release Date: 2011-04-07
Criticality level: Moderately critical
Impact: Cross Site Scripting, DoS
Where: From remote...
Solution: Update to version 3.1.1.
Original Advisory: WordPress:
http://wordpress.org...ordpress-3-1-1/

Edited by AplusWebMaster, 07 April 2011 - 06:09 AM.

[AplusWebMaster]

FYI...

WordPress v3.1.2 released
- http://wordpress.org/download/
April 26, 2011 - The latest stable release of WordPress (Version 3.1.2) is available... To download WordPress 3.1.2, update automatically from the Dashboard > Updates menu in your site's admin area or visit
http://wordpress.org...elease-archive/

- http://wordpress.org...ordpress-3-1-2/
WordPress 3.1.2 is now available and is a security release for all previous WordPress versions. This release addresses a vulnerability that allowed Contributor-level users to improperly publish posts...

- http://codex.wordpre...g/Version_3.1.2

- http://core.trac.wor...;order=priority

- http://secunia.com/advisories/44372/
Release Date: 2011-04-27
Impact: Security Bypass
Where: From remote
Solution: Update to version 3.1.2.

Edited by AplusWebMaster, 27 April 2011 - 05:32 AM.

[AplusWebMaster]

FYI...

WordPress for iOS v2.8 released
- http://ios.wordpress...vailable-today/
18 May 11

- http://translate.wor...rojects/ios/dev

- http://ios.trac.word...p;milestone=2.8

- http://itunes.apple....d335703880?mt=8
"... app is designed for both iPhone and iPad."

.

[AplusWebMaster]

FYI...

WordPress v3.1.3 released
- http://wordpress.org/download/
May 25, 2011 - "The latest stable release of WordPress (Version 3.1.3) is available..."

- http://www.securityt....com/id/1025571
May 26 2011 - "... prior to 3.1.3"

- http://secunia.com/advisories/44409/
Last Update: 2011-05-27
Criticality level: Moderately critical
Impact: Cross Site Scripting, Exposure of system information, System access
Where: From remote
Solution: Update to version 3.1.3...

- http://wordpress.org...ordpress-3-1-3/
"WordPress 3.1.3 is available now and is a security update for all previous versions..."

- http://codex.wordpre...g/Version_3.1.3
"... To download WordPress 3.1.3, update automatically from the Dashboard > Updates menu in your site's admin area..."

- http://core.trac.wor...;order=priority

Edited by AplusWebMaster, 30 May 2011 - 02:58 PM.

[AplusWebMaster]

FYI...

WordPress WPtouch Plugin - Backdoor Security Issue
- http://secunia.com/advisories/45005/
Release Date: 2011-06-23
Criticality level: Highly critical
Impact: System access
Where: From remote ...
Solution Status: Vendor Patch ...
... compromised source files were distributed on June 21st, 2011 and possibly prior.
Solution: Update to version 1.9.29.
Original Advisory: http://wordpress.org...asswords-reset/

WordPress W3 Total Cache Plugin - Backdoor Security Issue
- http://secunia.com/advisories/45021/
Release Date: 2011-06-23
Criticality level: Highly critical
Impact: System access
Where: From remote ...
Solution Status: Vendor Patch ...
... compromised source files were distributed on June 21st, 2011 and possibly prior.
Solution: Manually install version 0.9.2.3 downloaded after June 21st, 2011.
Original Advisory: http://wordpress.org...asswords-reset/

WordPress AddThis Plugin - Backdoor Security Issue
- http://secunia.com/advisories/45027/
Release Date: 2011-06-23
Criticality level: Highly critical
Impact: System access
Where: From remote ...
Solution Status: Vendor Patch ...
... compromised source files were distributed on June 21st, 2011 and possibly prior.
Solution: Manually install version 2.2.0 downloaded after June 21st, 2011.
Original Advisory: http://wordpress.org...asswords-reset/
___

>> http://nakedsecurity...-spotted-fixed/
June 22, 2011

Edited by AplusWebMaster, 24 June 2011 - 06:24 AM.

[AplusWebMaster]

FYI...

WordPress v3.1.4 released
- http://wordpress.org/download/
June 29, 2011 - "The latest stable release of WordPress (Version 3.1.4) is available..."

- http://wordpress.org...ordpress-3-1-4/
June 29, 2011 - "WordPress 3.1.4 is available now and is a maintenance and security update for all previous versions. This release fixes an issue that could allow a malicious Editor-level user to gain further access to the site..."

- http://codex.wordpre...g/Version_3.1.4
___

- http://www.securityt....com/id/1025737
Jun 30 2011
... prior to 3.1.4...

Edited by AplusWebMaster, 01 July 2011 - 06:21 AM.

[AplusWebMaster]

FYI...

WordPress v3.2 released
- http://wordpress.org/download/
July 4, 2011 - "The latest stable release of WordPress (Version 3.2) is available..."

- http://wordpress.org...11/07/gershwin/
"... The focus for this release was making WordPress faster and lighter... refreshed dashboard design that tightens the typography, design, and code behind the admin... Under the hood there have been a number of improvements, not the least of which is the streamlining enabled by our previously announced plan of retiring support for PHP4, older versions of MySQL, and legacy browsers like IE6, which allows us to take advantage of more features enabled by new technologies..."

[AplusWebMaster]

FYI...

WordPress add-on application vulnerability

TimThumb v1.34 released
- http://secunia.com/advisories/45416/
Last Update: 2011-08-04
Criticality level: Highly critical
Impact: Security Bypass, System access
Where: From remote
... The weakness is reported in versions prior to 1.34.
Solution: Update to version 1.34...

> http://www.binarymoo...jects/timthumb/
TimThumb PHP Image Resizer - "... use across the WordPress world..."
___

- https://www.us-cert....s_vulnerability
August 3, 2011

- http://blog.sucuri.n...cluding-it.html
August 3, 2011

Edited by AplusWebMaster, 08 August 2011 - 05:08 PM.

[AplusWebMaster]

This is a "bump", because of this:

> https://blog.avast.c...to-a-blackhole/
October 31st, 2011 - "... The bad guys are using a security vulnerability in non-updated TimThumb. This allows attackers to upload and execute arbitrary PHP code in the TimThumb cache directory which will download other malicious files. But this is not the only way for example they use stolen passwords to direct FTP changes..."

- http://h-online.com/-1370897
3 November 2011 - "... criminals are exploiting a critical hole in the TimThumb WordPress add-on to deploy malicious code on a large scale. Avast says that it blocked more than 2,500 infected sites in September and anticipates a similar number in October. The attackers install the professional BlackHole exploit framework on the affected servers. The framework then tries to infect visitors to the WordPress blog with malicious code by trying out various vulnerabilities in the visitor's browser and installed plug-ins..."

- http://blog.sucuri.n...ath-part-i.html
October 28, 2011
You can check your site for -FREE- here: http://sitecheck.sucuri.net/scanner/
___

TimThumb v1.34 released
- http://secunia.com/advisories/45416/
Last Update: 2011-08-04
Criticality level: Highly critical
Impact: Security Bypass, System access
Where: From remote
... The weakness is reported in versions prior to 1.34.
Solution: Update to version 1.34...

> https://www.us-cert....s_vulnerability
August 3, 2011

Edited by AplusWebMaster, 03 November 2011 - 04:21 PM.

[AplusWebMaster]

FYI...

WordPress v3.3 released
- https://wordpress.org/download/
December 12, 2011 Stable Download - "The latest stable release of WordPress (Version 3.3) is available ..."

- https://wordpress.or.../2011/12/sonny/

Changelog/3.3
- https://codex.wordpr...g/Changelog/3.3

- https://codex.wordpr...org/Version_3.3

[AplusWebMaster]

FYI...

WordPress Connections plugin vuln - updates available
- https://secunia.com/advisories/47390/
Release Date: 2011-12-29
Criticality level: Moderately critical
Impact: Unknown
Where: From remote...
Solution... see: Connections Changelog:
http://wordpress.org...ions/changelog/
Latest: 0.7.2.2 - 12/25/11
0.7.1.6 - 06/15/2011 > Fixes security vulnerability
Requires: 3.2 or higher
Compatible up to: 3.3
Last Updated: 2011-12-26

[AplusWebMaster]

FYI...

WordPress v3.3.1 released
- https://wordpress.org/download/
January 3, 2012 - "The latest stable release of WordPress (Version 3.3.1) is available..."

WordPress 3.3.1 Security and Maintenance Release
- https://wordpress.or...ordpress-3-3-1/
January 3, 2012 - "This maintenance release fixes 15 issues with WordPress 3.3, as well as a fix for a cross-site scripting vulnerability that affected version 3.3..."

- https://core.trac.wo...;order=priority
___

- http://h-online.com/-1403297
4 January 2012
___

- http://www.securityt....com/id/1026542
CVE Reference: CVE-2012-0287
Date: Jan 19 2012
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Version(s): 3.3
Solution: The vendor has issued a fix (3.3.1)...

Edited by AplusWebMaster, 23 January 2012 - 08:17 AM.

[AplusWebMaster]

FYI...

WordPress v3.3.2 released
- https://wordpress.org/download/
April 20, 2012 - "The latest stable release of WordPress (Version 3.3.2) is available..."

- https://wordpress.or...ordpress-3-3-2/
"WordPress 3.3.2 is available now and is a security update for -all- previous versions. Three external libraries included in WordPress received security updates:
> Plupload (version 1.5.4), which WordPress uses for uploading media.
> SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
> SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes...
... also addresses:
> Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances...
> Cross-site scripting vulnerability when making URLs clickable...
> Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs...
These issues were fixed by the WordPress core security team. Five other bugs were also fixed in version 3.3.2..."

Changelog:
- https://core.trac.wo...;stop_rev=20087
___

- http://web.nvd.nist....d=CVE-2012-2399 - 10.0 (HIGH)
- http://web.nvd.nist....d=CVE-2012-2400 - 10.0 (HIGH)
- http://web.nvd.nist....d=CVE-2012-2401 - 5.0
- http://web.nvd.nist....d=CVE-2012-2402 - 5.5
- http://web.nvd.nist....d=CVE-2012-2403 - 4.3
- http://web.nvd.nist....d=CVE-2012-2404 - 4.3
Last revised: 04/23/2012 - "... WordPress before 3.3.2..."

- http://h-online.com/-1545416
23 April 2012

- https://secunia.com/advisories/48957/
Release Date: 2012-04-23
Criticality level: Moderately critical
Impact: Security Bypass, Cross Site Scripting
Where: From remote
... vulnerabilities are reported in versions prior to 3.3.2.
Solution: Update to version 3.3.2.

Edited by AplusWebMaster, 23 April 2012 - 12:53 PM.

[AplusWebMaster]

FYI...

WordPress v3.4 released
- https://wordpress.org/download/
June 13, 2012 - "The latest stable release of WordPress (Version 3.4) is available..."

- https://wordpress.or.../2012/06/green/

- https://codex.wordpr...org/Version_3.4