Newly released WordPress 3.6.1 is described as a 'maintenance and security release' fixing 13 bugs. But the release statement adds, "WordPress 3.6.1 is also a security release for all previous WordPress versions and we strongly encourage you to update your sites immediately."
The three security issues block unsafe PHP unserialization (which could lead to remote code execution); prevent forged posts; and fix insufficient input validation (which could result in dangerous user redirects).
"Additionally," says the statement, "we’ve adjusted security restrictions around file uploads to mitigate the potential for cross-site scripting."
The popularity of WordPress makes it increasingly attractive to attackers. There have been more than 7 million downloads of version 3.6. The free hosted version (WordPress.com) is home to more then 70 million blogs around the world. According to Quintuo, "Around 20% of all new websites published in 2011 were based on it. In the market of CMS it clearly outranks its competitors with a share of over 50%."
A major reason for the popularity of WordPress is its ease of use. The result is a huge number of WordPress sites run by bloggers who are both IT and security naive. These are the primary targets for the criminals; and it is these more than most who should heed the WordPress warning and update their websites.
"With so many of the world’s websites relying upon the WordPress software," warns security researcher Graham Cluley, "it is essential that webmasters keep their systems up to date. After all, if a hacker managed to infiltrate your blog and inject code, the attack could be passed onto your visitors."
Cluley's own blog is hosted with a managed WordPress service, "which," he was 'delighted' to say, "updated my installation of WordPress for me while I was tucked up in bed." But many bloggers will be hosted with low-cost service providers who are less likely to provide such proactive support to their customers.
Such WordPress users should check the version they are currently using. If it is not 3.6.1 then the update option in the Dashboard will fulfill the required process.