Version 3.6.1

On September 11, 2013, WordPress 3.6.1 was released to the public. This is a maintenance and security update.

Installation/Update Information

To download WordPress 3.6.1, update automatically from the Dashboard > Updates menu in your site’s admin area or visit https://wordpress.org/download/release-archive/.

For step-by-step instructions on installing and updating WordPress:

If you are new to WordPress, we recommend that you begin with the following:

Summary

From the announcement post, this maintenance release addresses 13 bugs with version 3.6.

Additionally: Version 3.6.1 fixes three security issues:

  • Remote Code Execution: Block unsafe PHP de-serialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem. CVE-2013-4338.
  • Link Injection / Open Redirect: Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention. CVE-2013-4339.
  • Privilege Escalation: Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij. CVE-2013-4340.

Additional security hardening:

  • Updated security restrictions around file uploads to mitigate the potential for cross-site scripting. The extensions .swf and .exe are no longer allowed by default, and .htm and .html are only allowed if the user has the ability to use unfiltered HTML.

A full log of the changes made for 3.6.1 can be found at https://core.trac.wordpress.org/log/branches/3.6?stop_rev=24972&rev=25345.

List of Files Revised

readme.html
wp-admin/about.php
wp-admin/nav-menus.php
wp-admin/includes/post.php
wp-admin/includes/update-core.php
wp-admin/includes/template.php
wp-admin/network/upgrade.php
wp-admin/js/common.js
wp-includes/pluggable.php
wp-includes/comment-template.php
wp-includes/post-template.php
wp-includes/version.php
wp-includes/theme.php
wp-includes/functions.php
wp-includes/ms-functions.php
wp-includes/link-template.php
wp-includes/class-http.php
wp-includes/js/jquery/jquery.js
wp-includes/js/tinymce/plugins/wordpress/editor_plugin.js
wp-includes/js/tinymce/plugins/wordpress/editor_plugin_src.js
wp-includes/js/tinymce/wp-tinymce.js.gz

First published

Last updated