We applied the WordPress 3.6.1 update to all of our managed WordPress sites today. We recommend that users check over their WordPress sites thoroughly to make sure everything is still working as it is supposed to. This update was a maintenance and security update which fixed 13 bugs.
It addresses three issues fixed by the WordPress security team:
- Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem.
- Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
- Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.
Additionally, the update adjusted security restrictions around file uploads to mitigate the potential for cross-site scripting.
If you have any questions, please contact us at firstname.lastname@example.org or by calling 256-547-6817.