The WordPress developers have released version 3.4.1 of their popular open source publishing platform, fixing a number of bugs and closing security holes, one of which is rated as important. WordPress 3.4, which has already been downloaded 3 million times since being released two weeks ago, contains a important privilege escalation flaw that accidentally allowed all administrators and editors on multi-site installations to use unfiltered_html. This could have been exploited by users for cross-site scripting (XSS) attacks by, for example, publishing posts containing malicious code.
The update also fixes an information disclosure vulnerability which could have allowed some users to bypass certain security restrictions in order to view the contents of posts that they should not be able to see, such as draft and private posts. WordPress 3.4.1 further improves security by adding additional protections against cross-site request forgery (CSRF) attacks in the customizer, and deprecating the wp_explain_nonce() function as it could reveal unnecessary information. Additionally, a child theme can now only be activated along with its intended parent theme.
A full list of fixes can be found in the WordPress Trac and on the Version 3.4.1 Codex page. WordPress 3.4.1 is available to download from the project’s site; existing users can upgrade using the built-in update functionality. Binaries and source code are licensed under the GPLv2 or later.