Last night the WordPress team released WordPress 3.3.2 which is available for download and update in the built-in updater. The release is a bug fix and maintenance release and includes security updates for the following libraries (taken from the WordPress blog post):
- Plupload (version 1.5.4), which WordPress uses for uploading media.
- SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
- SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.
The release also addresses the following bugs (taken from the official blog post):
- Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances, disclosed by Jon Cave of our WordPress core security team, and Adam Backstrom.
- Cross-site scripting vulnerability when making URLs clickable, by Jon Cave.
- Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs. Thanks to Mauro Gentile for responsibly disclosing these issues to the security team.
As always we recommend that you update right away in order to keep your WordPress installation secure and prevent breaches. If you are on our maintenance plan, your site has already been upgraded.