WordPress 3.8.2: First Security Release Shipped as a Background Update

photo credit: Will Montague - cc
photo credit: Will Montaguecc

WordPress 3.8.2 was released today with several important security fixes that warrant an immediate update. If you have background updates turned on, you should get the 3.8.2 security release within 12 hours. Of course, you can always update immediately via Dashboard > Update in the admin.

Andrew Nacin outlined the important security fixes in this release. In summary, they are:

  • Fixes a weakness that could let an attacker force their way into your site by forging authentication cookies
  • A fix to prevent a user with the Contributor role from improperly publishing posts.
  • Update to pass along additional information when processing pingbacks to help hosts identify potentially abusive requests.
  • Fixes a low-impact SQL injection by trusted users
  • Prevents possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files.

These security concerns were discreetly disclosed to the WordPress security team, but now that they are public knowledge, it’s very important to get your sites updated to the latest version.

First WordPress Security Release Shipped as a Background Update

In the course of providing the 3.8.2 security update, a 3.7.2 release was also pushed out, which includes the same fixes for sites still running on 3.7.1.

We’ve now entered a new era of WordPress security updates wherein sites that are on older versions may have automatic updates enabled. Passing on those same security updates, wherever possible, only makes sense.

I asked Nacin how far back the team plans to provide security releases for sites running older versions of WordPress. “We don’t want sites to remain on older versions,” he said. “But it’s obviously tough to pass up the opportunity to keep them secure.”

There is no hard and fast rule set for how far back security updates will go, but Nacin says that they will continue to do what they can. “This was the first security release shipped as a background update, so it’s new to us, too,” he said. “But I would expect we’ll do whatever we can to keep sites secure.”

So far the automatic updates seem to be going quite well:

The first release candidate for 3.9 was also sent out on the heels of the 3.8.2 security update. You can expect to see the official 3.9 release next week on April 16th.

There are 12 comments

Comments are closed.