The WordPress 3.6.1 Security Update was released this week. I highly recommend updating your site as soon as possible.
3.6.1 patches 3 important security vulnerabilities listed below that exist in 3.6
- Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem.
- Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
- Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.
Additionally, the WordPress Secutiry Team adjusted security restrictions around file uploads to mitigate the potential for cross-site scripting.
Make plans to upgrade to WordPress Core version 3.6.1 now to keep your site secure. As always, be sure to backup your files and database before upgrading to 3.6.1. I highly recommend Backupbuddy which allows you to easily schedule or run on demand either a full site backup or a database only backup. If you are more comfortable having someone else run your backups and install updates, I am more than happy to help.