WordPress issues security fixes, advises “update your sites immediately”: Mega-popular blogging and content management system WordPress has just put out version 3.6.1.
Since it’s a maintenance release (an update from 3.6), it doesn’t have a huge raft of new features, but it does fix three security holes.
One of them is a Remote Code Execution vulnerability reported b a young Belgian web application security researcher named Tom Van Goethem.
Now that the fix is out, Van Goethem has published a very detailed description of the bug and the steps he went through to uncover it.
He also mentions that, by using a popular plugin, he was able to go from vulnerability (“there’s a hole, and it could be risky”) to exploit (“here’s how to use the vulnerability for unauthorised access”).