IMPORTANT: Security Notice - WordPress 3.6.1

29 Sep 2013

SUMMARY

Three CVEs were reported for WordPress 3.6 and WordPress has released an upgraded version to address theses vulnerabilities. Softaculous has updated the WordPress version delivered via the Softaculous functionality in cPanel to the new version of 3.6.1.
If you have installed WordPress manually in your hosting account, please proceed as instructed in the WordPress documentation for the upgrade.

If you are running any version below 3.6.1 you are on risk and is only a Matter of time that your site is hacked.


AFFECTED VERSIONS
All versions of WordPress 3.6.0 and below.


SECURITY RATING
US-CERT/NIST has given the following severities for the WordPress vulnerabilities:

CVE-2013-4338
CVSS v2 Base Score: 7.5 (HIGH)

CVE-2013-4339
CVSS v2 Base Score: 7.5 (HIGH)

CVE-2013-4339
CVSS v2 Base Score: 3.5 (LOW)


SOLUTION
WordPress and Softaculous has available the last 3.6.1 version and is highly recommended you upgrade to this version immediately.


REFERENCES

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4338

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4338

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4339

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4339

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4340

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4340

http://wordpress.org/news/2013/09/wordpress-3-6-1/