Security fixes in this release include measures to prevent server-side request forgery (SSRF) attacks. The TinyMCE editor, the external SWFUpload library and other components have been updated to fix cross-site scripting (XSS) holes; WordPress’s own SWFUpload fork is used by the blogging platform to transfer files to the server, while TinyMCE is used as the software’s content editor. A problem that could be exploited by attackers to perform denial-of-service (DoS) attacks on sites that use WordPress’s password protection for posts has also been fixed.
WordPress 3.5.2 is available for download from the project’s web site. Alternatively, existing users can update automatically via Dashboard → Updates in the WordPress admin interface. The source code for WordPress is licensed under the GPLv2 or later.
Cross-posted from Heise-Security.