Andrew Nacin today announced the release of WordPress 3.3.2 and WordPress 3.4 Beta 3. WordPress 3.3.2 is a security release that addresses a number of security issues.
The following external libraries have had security updates:
- Plupload (version 1.5.4), which WordPress uses for uploading media.
- SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
- SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.
It also addresses:
- Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances, disclosed by Jon Cave of our WordPress core security team, and Adam Backstrom.
- Cross-site scripting vulnerability when making URLs clickable, by Jon Cave.
- Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs.
The 3rd beta of WordPress 3.4 has also been released. Theme and plugin developers may want to update to this version though for everyone else, I would stick to the stable release of 3.3.2 and wait for the full release of 3.4. As always, it’s prudent to do a backup of your hard drive and files before performing any updates to your WordPress website.
More information about these releases can be found in the official announcement.