On June 21, 2013, WordPress 3.5.2 was released to the public. This is a maintenance and security update.
Installation/Update Information
To download WordPress 3.5.2, update automatically from the Dashboard > Updates menu in your site’s admin area or visit https://wordpress.org/download/release-archive/.
For step-by-step instructions on installing and updating WordPress:
If you are new to WordPress, we recommend that you begin with the following:
- New To WordPress – Where to Start
- First Steps With WordPress or Upgrading WordPress Extended
- WordPress Lessons
Summary
From the announcement post, this maintenance release addresses 12 bugs with version 3.5 and 3.5.1.
Additionally: Version 3.5.2 fixes seven security issues:
* Server-Side Request Forgery (SSRF) via the HTTP API. CVE-2013-2199. * Privilege Escalation: Contributors can publish posts, and users can reassign authorship. CVE-2013-2200. * Cross-Site Scripting (XSS) in SWFUpload. CVE-2013-2205. * Denial of Service (DoS) via Post Password Cookies. CVE-2013-2173. * Content Spoofing via Flash Applet in TinyMCE Media Plugin. CVE-2013-2204. * Cross-Site Scripting (XSS) when Uploading Media. CVE-2013-2201. * Full Path Disclosure (FPD) during File Upload. CVE-2013-2203.
Additional security hardening includes:
* Cross-Site Scripting (XSS) (Low Severity) when Editing Media. CVE-2013-2201. * Cross-Site Scripting (XSS) (Low Severity) when Installing/Updating Plugins/Themes. CVE-2013-2201. * XML External Entity Injection (XXE) via oEmbed. CVE-2013-2202.
A full log of the changes made for 3.5.2 can be found at https://core.trac.wordpress.org/log/branches/3.5?rev=24498&stop_rev=23347.
List of Files Revised
readme.html wp-admin/includes/media.php wp-admin/includes/class-wp-importer.php wp-admin/includes/file.php wp-admin/includes/post.php wp-admin/includes/upgrade.php wp-admin/includes/schema.php wp-admin/includes/class-wp-upgrader.php wp-admin/includes/update-core.php wp-admin/update.php wp-admin/about.php wp-admin/edit-form-advanced.php wp-login.php wp-includes/class-wp-xmlrpc-server.php wp-includes/rss.php wp-includes/functions.php wp-includes/formatting.php wp-includes/post.php wp-includes/media-template.php wp-includes/deprecated.php wp-includes/wp-db.php wp-includes/user.php wp-includes/class-wp-admin-bar.php wp-includes/version.php wp-includes/class-phpass.php wp-includes/comment.php wp-includes/pluggable.php wp-includes/class-feed.php wp-includes/script-loader.php wp-includes/class-http.php wp-includes/js/media-editor.min.js wp-includes/js/swfupload/swfupload-all.js wp-includes/js/swfupload/handlers.js wp-includes/js/swfupload/handlers.min.js wp-includes/js/swfupload/swfupload.swf wp-includes/js/plupload/handlers.js wp-includes/js/plupload/handlers.min.js wp-includes/js/tinymce/wp-tinymce.js.gz wp-includes/js/tinymce/plugins/media/moxieplayer.swf wp-includes/js/tinymce/tiny_mce.js wp-includes/js/media-editor.js wp-includes/class-oembed.php wp-includes/post-template.php wp-includes/http.php