Version 3.8.35

On October 29, 2020, WordPress 3.8.35 was released to the public.

Installation/Update Information

To download this version, update automatically from the Dashboard > Updates menu in your site’s admin area or visit WordPress releases archive.

For step-by-step instructions on installing and updating WordPress:

If you are new to WordPress, we recommend that you begin with the following:

Summary

Security updates

  • Props to Alex Concha of the WordPress Security Team for their work in hardening deserialization requests.
  • Props to David Binovec on a fix to disable spam embeds from disabled sites on a multisite network.
  • Thanks to Marc Montas from Sucuri for reporting an issue that could lead to XSS from global variables.
  • Thanks to Justin Tran who reported an issue surrounding privilege escalation in XML-RPC. He also found and disclosed an issue around privilege escalation around post commenting via XML-RPC.
  • Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE.
  • Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs.
  • Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a method to bypass protected meta that could lead to arbitrary file deletion.
  • And a special thanks to @zieladam who was integral in many of the releases and patches during this release.

This release was led by @audrasjb@davidbaumwald@desrosj@johnbillion, @metalandcoffee, @noisysocks @planningwrite, @sarahricker@sergeybiryukov and @whyisjake.

First published

Last updated