OR, those running Wordpress sites vulnerable to known exploits can take the responsibility of keeping up with URGENT SECURITY UPDATES which are DESIGNED TO PATCH THESE SAME TYPES OF KNOWN VULNERABILITIES/EXPLOITS (such as 3.6.1 was designed to patch re-direction hacks such as this), in order to protect their READERS (who are needlessly exposed to having malware installed on THEIR computers after being redirected to another dodgy site, due to the owner's lack of concern for their security).
WordPress 3.6.1 Maintenance and Security Release
Posted September 11, 2013 by Andrew Nacin. Filed under Releases, Security.
After nearly 7 million downloads of WordPress 3.6, we are pleased to announce the availability of version 3.6.1. This maintenance release fixes 13 bugs in version 3.6, which was a very smooth release.
WordPress 3.6.1 is also a security release for all previous WordPress versions and we strongly encourage you to update your sites immediately. It addresses three issues fixed by the WordPress security team:
- Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem.
- Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
- Fix insufficient input validationthat could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.
BTW, anyone who's visited those compromised sites is advised to make sure YOUR computer's security patches are up-to-date, since YOUR PC is now vulnerable to being a bot by visiting the re-directed sites.
Adam