- Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site.
- Disallow contributors from improperly publishing posts, reported by Konstantin Kovshenin, or reassigning the post’s authorship, reported by Luke Bryan.
- An update to the SWFUpload external library to fix cross-site scripting vulnerabilities. Reported by mala and Szymon Gruszecki.
- Prevention of a denial of service attack, affecting sites using password-protected posts.
- An update to an external TinyMCE library to fix a cross-site scripting vulnerability. Reported by Wan Ikram.
- Multiple fixes for cross-site scripting. Reported by Andrea Santese and Rodrigo.
- Avoid disclosing a full file path when a upload fails. Reported by Jakub Galczyk.
You ae advised to upgrade immediately.
Download: WordPress 3.5.2 or visit Dashboard -> Updates in your site admin to update now.
I have moved the remaining WordPress plugins repository to Github and thanks to scribu’s script, I can deploy from Github back to WordPress Plugins SVN Repo.
Also thanks to scribu for taking the lead with WP-PageNavi and WP-UserOnline previously =)
Feel free to submit pull requests or fork the repo or follow me on GitHub.
Here are all the links.
WordPress 3.6 Beta 1 has been released! The final version of WordPress 3.6 is expected to ship on 29th April 2013.
To start off, WordPress 3.6 will ship with a new default theme, named Twenty Thirteen.
What’s New In WordPress 3.6
- Post Formats: Post Formats now have their own UI, and theme authors have access to templating functions to access the structured data.
- Twenty Thirteen: We’re shipping this year’s default theme in our first release of the year. Twenty Thirteen is an opinionated, color-rich, blog-centric theme that makes full use of the new Post Formats support.
- Audio/Video: You can embed audio and video files into your posts without relying on a plugin or a third party media hosting service.
- Autosave: Posts are now autosaved locally. If your browser crashes, your computer dies, or the server goes offline as you’re saving, you won’t lose the your post.
- Post Locking: See when someone is currently editing a post, and kick them out of it if they fall asleep at the keyboard.
- Nav Menus: Nav menus have been simplified with an accordion-based UI, and a separate tab for bulk-assigning menus to locations.
- Revisions: The all-new revisions UI features avatars, a slider that scrubs through history, and two-slider range comparisons.
Download: WordPress 3.6 Beta 1
- Editor: Prevent certain HTML elements from being unexpectedly removed or modified in rare cases.
- Media: Fix a collection of minor workflow and compatibility issues in the new media manager.
- Networks: Suggest proper rewrite rules when creating a new network.
- Prevent scheduled posts from being stripped of certain HTML, such as video embeds, when they are published.
- Suppress some warnings that could occur when a plugin misused the database or user APIs.
Additionally, a bug affecting Windows servers running IIS can prevent updating from 3.5 to 3.5.1. If you receive the error “Destination directory for file streaming does not exist or is not writable,” you will need to follow the steps outlined on the Codex.
WordPress 3.5.1 also addresses the following security issues:
- A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team. We’d like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work.
- Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team.
- A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue.
Download: WordPress 3.5.1 or visit Dashboard -> Updates in your site admin to update now.
WordPress 3.5 is out after 6 RCs!
If you’ve been around WordPress a while, the most dramatic new change you’ll notice is a completely re-imagined flow for uploading photos and creating galleries. Media has long been a friction point and we’ve listened hard and given a lot of thought into crafting this new system. 3.5 includes a new default theme, Twenty Twelve, which has a very clean mobile-first responsive design and works fantastic as a base for a CMS site. Finally we’ve spent a lot of time refreshing the styles of the dashboard, updating everything to be Retina-ready with beautiful high resolution graphics, a new color picker, and streamlining a couple of fewer-used sections of the admin.
WordPress 3.5 RC3 has been released, I am expecting it to be the last RC and we will see the final WordPress 3.5 sometime within this week. No idea whether they will meet the originally targeted date of 5th December 2012.
- Final UI improvements for the new media manager, based on lots of great feedback.
- Show more information about uploading errors when they occur.
- When inserting an image into a post, don’t forget the alternative text.
- Fixes for the new admin button styles.
- Improvements for mobile devices, Internet Explorer, and right-to-left languages.
- Fix cookies for subdomain installs when multisite is installed in a subdirectory.
- Fix ms-files.php rewriting for very old multisite installs.
Here is a list of pending issues (6 left): http://core.trac.wordpress.org/report/5
Download: WordPress 3.5 RC3
WordPress 3.5 RC2 has been released and if everything is ok, we will expect to see the final version of WordPress 3.5 next Wednesday, 5th December 2012.
Here is a list of pending issues: http://core.trac.wordpress.org/report/6
Download: WordPress 3.5 RC2
WordPress 3.5 Beta 3 has been released!
More than 300 bug fixes since beta 2, Add Media dialog is complete, updated jQuery UI 1.9.1, SimplePie 1.3.1, and TinyMCE 3.5.7.
RC1 should be out next week followed by the final version of WordPress 3.5 which is targeted on 5th December 2012.
Download: WordPress 3.5 Beta 3
WordPress 3.5 Beta 2 has been released!
Changes since Beta 1
- New workflow for working with image galleries, including drag-and-drop reordering and quick caption editing.
- New user interface for setting static front pages for the Reading Settings screen. (#16379)
- New image editing API. (#6821)
Download: WordPress 3.5 Beta 2
WordPress 3.5 Beta 1 has been released! The final version of WordPress 3.5 is expected to ship on 5th December 2012.
WordPress 3.5 will ship with a new default theme, named Twenty Twelve. But if you do not want to wait till December 2012, you can grab it now at the WordPress Theme directory. It will work with WordPress 3.4.x as well
What’s New (General)
- Appearance: A simplified welcome screen. A new color picker. And the all-HiDPI (retina) dashboard.
- Accessibility: Keyboard navigation and screen reader support have both been improved.
- Plugins: You can browse and install plugins you’ve marked as favorites on WordPress.org, directly from your dashboard.
- Mobile: It’ll be easier to link up your WordPress install with our mobile apps, as XML-RPC is now enabled by default.
- Links: We’ve hidden the Link Manager for new installs. (Don’t worry, there’s a plugin for that.)
What’s New (For Developers)
- External libraries updated: TinyMCE 3.5.6. SimplePie 1.3. jQuery 1.8.2. jQuery UI 1.9 (and it’s not even released yet). We’ve also added Backbone 0.9.2 and Underscore 1.3.3, and you can use protocol-relative links when enqueueing scripts and styles. (#16560)
- WP Query: You can now ask to receive posts in the order specified by
- XML-RPC: New user management, profile editing, and post revision methods. We’ve also removed AtomPub. (#18428, #21397, #21866)
- Multisite: switch_to_blog() is now used in more places, is faster, and more reliable. Also: You can now use multisite in a subdirectory, and uploaded files no longer go through ms-files (for new installs). (#21434, #19796, #19235)
- TinyMCE: We’ve added API support for ‘views’; which you can use to offer previews and interaction of elements from the visual editor. (#21812)
- Posts API: Major performance improvements when working with hierarchies of pages and post ancestors. Also, you can now ‘turn on’; native custom columns for taxonomies on edit post screens. (#11399, #21309, #21240)
- Comments API: Search for comments of a particular status, or with a meta query (same as with WP_Query). (#21101, #21003)
- oEmbed: We’ve added support for a few oEmbed providers, and we now handle SSL links. (#15734, #21635, #16996, #20102)
Download: WordPress 3.5 Beta 1
WordPress 3.4.2 has been release and it is both a maintenance release that fixes 21 bugs and security release that fixes vulnerabilities that includes potential privilege escalation and a bug that affects multisite installs with untrusted users.
Some of the 21 bugs include:
- Fix some issues with older browsers in the administration area.
- Fix an issue where a theme may not preview correctly, or its screenshot may not be displayed.
- Improve plugin compatibility with the visual editor.
- Address pagination problems with some category permalink structures.
- Avoid errors with both oEmbed providers and trackbacks.
- Prevent improperly sized header images from being uploaded.
Version 3.4.2 also fixes a few security issues and contains some security hardening. The vulnerabilities included potential privilege escalation and a bug that affects multisite installs with untrusted users. These issues were discovered and fixed by the WordPress security team.
Download: WordPress 3.4.2
Auto Update: Dashboard -> Updates
ManageWP wrote an article entitled, Show Your Love for the Top 100 WordPress Plugin Developers. I am ranked 5th on the charts =D
We’ve spent rather a lot of time gathering and sorting data for the top 100 WordPress plugin developers, based upon total number of downloads. Unless you are brand new to WordPress, it is likely that you use at least one plugin created by the developers below.
All you need to do is pick out one (or more) of your favorite developers, and take a moment to thank them. We’ve collected all of the Twitter accounts we could find, but we are sure you can find other ways of getting in touch if your chosen developer doesn’t have an account listed.
Firing off a quick tweet to thank a developer for developing great free products will only take a moment, so why not do it?
Furthermore, if you’re on the hunt for plugins to check out, you will find a comprehensive list below of the most popular plugins available for WordPress. Just remember to thank the developer if you start using one!
Thanks for the support guys =D
Some of the 18 bugs include:
- Fixes an issue where a theme’s page templates were sometimes not detected.
- Addresses problems with some category permalink structures.
- Adds early support for uploading images on iOS 6 devices.
- Allows for a technique commonly used by plugins to detect a network-wide activation.
- Better compatibility with servers running certain versions of PHP (5.2.4, 5.4) or with uncommon setups (safe mode, open_basedir), which had caused warnings or in some cases prevented emails from being sent.
Version 3.4.1 also fixes a few security issues and contains some security hardening. The vulnerabilities included potential information disclosure as well as an bug that affects multisite installs with untrusted users. These issues were discovered and fixed by the WordPress security team.
Download: WordPress 3.4.1
Auto Update: Dashboard -> Updates
WordPress 3.4 has been released.
The biggest change in 3.4 is the theme customizer which allows you to play around with various looks and settings for your current theme or one you’re thinking about switching to without publishing those changes to the whole world. For themes that support it, you can change colors, backgrounds, and of course custom image headers. We have more planned for the customizer down the road.
Throughout the rest of the admin you’ll notice tweaks to make your everyday life easier. For example, if you have lots of themes we’ve made it quicker to browse them all at once without paging. We’ve made it possible to use images from your media library to populate custom headers, and for you to choose the height and width of your header images.
We’ve expanded our embed support to include tweets: just put a Twitter permalink on its own line in the post editor and we’ll turn it into a beautiful embedded Tweet. And finally, image captions have been improved to allow HTML, like links, in them.
There are hundreds of under-the-hood improvements in this release, notably in the XML-RPC, themes, and custom header APIs, and significant performance improvements in WP_Query and the translation system. The Codex has a pretty good summary of the developer features, and you can always dive into Trac directly.
Download: WordPress 3.4
PS: My plugins should work with WordPress 3.4, if you discovered any bug, just drop me an email, lesterchan AT gmail.
About 2 weeks ago, I release an update to r WP-Email, WP-Polls, WP-PostRatings and WP-PostViews which added some nonce check and moved the AJAX request to be handled by /wp-admin/admin-ajax.php.
3 common issues that users are facing.
“-1″ or “Failed To Verify Referrer”
Password Protected /wp-admin/ Will Not Work
If you are using .htpasswd to protect your /wp-admin/ folder, AJAX request to /wp-admin/admin-ajax.php will not work. This problem is not unique to my plugin. Any WordPress Plugins that uses the WordPress AJAX API will break. As mentioned in this Codex, Hardening WordPress:
Simply securing the wp-admin/ directory might also break some WordPress functionality, such as the AJAX handler at wp-admin/admin-ajax.php
To bypass this, check out this tutorial, Password protecting the wp-admin directory, this tutorial will teach you how to whitelist admin-ajax.php in your /wp-admin/ using .htaccess.
I still hope in the future version of WordPress, they will separate front facing AJAX requests vs backend AJAX requests.
Your WP-Admin Is HTTPS While Your Site Is Not
If your WP-Admin is behind SSL aka HTTPS and you have the following config in your wp-config.php
define('FORCE_SSL_ADMIN', true);, the AJAX will fail because https://yoursite.com is different from http://yoursite.com and the browser treat it as different domain.
To solve this issue do the following:
'ajax_url' => admin_url('admin-ajax.php'),
'ajax_url' => admin_url('admin-ajax.php', (is_ssl() ? 'https' : 'http')),
What the code does is basically forcing http to be used when calling admin-ajax.php for AJAX request. Again this is a hack, I am trying to figure a way around it.
I have pushed the code to trunk of all the respective plugins.
I have updated the following plugins:
Now all AJAX requests are handled by /wp-admin/admin-ajax.php. Previously it is handled via the plugin PHP file itself by assuming that wp-load.php is always 2 levels down from the plugin file. But since you can have your WordPress in any folders, custom loading of wp-load.php is not possible as the path to wp-load.php varies from server to server.
While I am at it, I added nonce check for AJAX calls to WP-Polls, WP-PostRatings and WP-Email. Let me know if you run into problems via WordPress Support Forums, My Forums (if you are already registered) or via email (lesterchan AT gmail).
PS: Kindly refer to http://lesterchan.net/wordpress/2012/06/05/ajax-not-working-for-wp-email-wp-polls-wp-postratings-or-wp-postviews/ if you ran into problems.
WordPress 3.3.2 & 3.4 Beta 3 has been released
- Plupload (version 1.5.4), which WordPress uses for uploading media.
- SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
- Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances, disclosed by Jon Cave of our WordPress core security team, and Adam Backstrom.
- Cross-site scripting vulnerability when making URLs clickable, by Jon Cave.
- Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs. Thanks to Mauro Gentile for responsibly disclosing these issues to the security team.
vSWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.
WordPress 3.4 Beta 3
- 90 bugs have been fixed since beta 2