Automattic, the company behind popular blogging platform WordPress, has issued an update which fixes some potentially serious security holes - making it a must-have patch for self-hosted bloggers.
The update brings the software to WordPress version 3.1.3 and fixes some nasty vulnerabilities in the handling of media files, first spotted by a team at Microsoft Vulnerability Research following the company's decision to move its own LiveSpaces bloggers to the WordPress platform. It also patches a potential issue with file upload security when WordPress is installed on badly-configured hosts, and an information disclosure vulnerability related to canonical redirects spotted by Verónica Valeros.
The update also features multiple enhancements to the general security of the whole platform, along with hardening related to taxonomy queries and a fix for cancelled imports that would previously leave half-finished import files hanging around in the host's file system.
From a user-facing perspective, the update also brings 'clickjacking' protection for the admin and login pages. While only available in up-to-date browsers, the facility makes it harder for malware to steal login credentials by falsifying the WordPress user interface.
Although there are no known attacks in the wild for any of the issues resolved in the update, that won't remain the case for long: as the most popular blogging platform in the world, WordPress attracts more than its fair share of ne'er-do-wells looking to exploit the slightest hole in the software.
WordPress users are advised to update through their Dashboard, or to download the latest release for manual installation directly from WordPress.org.