WordPress 3.3.2 Security Update

WordPress 3.3.2 is out to fix multiple vulnerabilities.  If you have a WordPress site somewhere on the internet, it is important to keep up to date.


Plupload (version 1.5.4), which WordPress uses for uploading media.

  • SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
  • SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.

WordPress 3.3.2 also addresses:

  • Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances.
  • Cross-site scripting vulnerability when making URLs clickable.
  • Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs.


  1. Pingback: Flashback infections not waning after all; 650000 Macs still hijacked – Ars Technica | Daily News Pages

  2. Hello Infosecblog,
    Very interesting, I’m hosting a WordPress blog using Webserver on a Stick (WOS). It runs completely on my machine and is for my own use only, so no internet connection is required. Still, I usually have an internet connection going anyway.

    However, I still get messages within WordPress about updates, and a big part of that is security features. Do I have to be concerned about this? Is it possible for others to hack in somehow even though I’m not “broadcasting”?

    • depends on how the computer is on the internet.

      Most people at home are behind a Linksys type of device. That provides a firewall so just a random person on the internet couldn’t access the server to exploit it. If you are directly on the internet, malware could scan blindly looking for sites to exploit. So you would need to do it.

Comments are closed.