WordPress 2.8.6 Security Release – Considerations! | Wordpress Blog Installation Service!

Site Update: I have decided to change the look and feel of the site and hope you like it! I have also been working in the background on setting up the membership areas as previously announced | The free membership section will be launching soon, hopefully by mid March. With the VIP Premium section going live in April 2010 - Watch this space for further announcements!

13th
NOV

WordPress 2.8.6 Security Release – Considerations!

Posted by Zulfikar under Troubleshooting Wordpress, Upgrading Wordpress

Update: Upgrade your wordpress blog NOW!

The vulnerability is far serious than first mentioned from the extract from Wordpress.org bellow and an immediate upgrade is now advised. The security breach hole can allow for a script to add files to the site’s root directory which can lead to major disruption of your blog. Files such as index.html can be added to your site root via this security hole, this can include warez, viruses and porn type files. Thanks to the prompt action of those who spotted the breach and to wordpress for prompt release of the latest secure version we can now eliminate the problem by upgrading immediately.

Many of you will have realised that a new version of Wordpress is now available and as with all interim releases, this is a security patch release.

But before you upgrade here are a few things to consider – take into account! (I know its a change of tone on my part, as I always advise on immediate upgrade).

This is why Wordpress V2.8.6 has been released:

2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges. If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.

The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations. Thanks to Benjamin and Dawid for finding and reporting these.

That snippet is from Wordpress.org and outlines the reason behind the security release – so if the above apply to you then by all means go ahed and upgrade asap.

Here are a few factors to consider before upgrading.

A number of plugins have returned errors after I upgraded to the latest version – this is by no means suggest a problem with Wordpress itself.

This in turn caused a few problems for me.

a) I could not log out in the admin dashboard; error returned was “You are attempting to log out of ‘SiteName’ Please try again!” (My understanding is that this is an issue with the log out hook in the current theme I’m using – under investigation at the moment).

Workaround – Should you find yourself in this predicament: Place the cursor in your address bar and hit enter, on refresh you will get a message asking if you are sure you want to log out with a log out link – click on the link and you should be able to log out. Seems to work fine after that!

b) On visiting the main site the sidebar login widget showed that I was not logged in even though I could still access the admin dashboard with limitations on certain elements. I narrowed this down to the sidebar login plugin – now deactivated until the issue is resolved hopefully by a new plugin update.

c) While writing post I was getting a MySQl database error – again this was narrowed down to a plugin, this time it was the “Thank you counter button” – deactivating the plugin resolved the problem and so awaiting an updated version.

There may be more issues cropping up as time goes by, I will keep this post updated should I come across any more issues and remedies if available. If you are having problems after upgrading to the latest version of Wordpress please leave a comment and I’ll investigate it further.

If you like this article please share it on stumbleUpon - thanks!