WordPress.org

Codex

Interested in functions, hooks, classes, or methods? Check out the new WordPress Code Reference!

Version 3.3.3

On June 27, 2012, Version 3.3.3 was released for those who haven't yet updated to the 3.4 branch. It was an unannounced security fix release. At the same time, Version 3.4.1 was released to the public.

This is a security update for all previous WordPress versions.

For version 3.3.3, the database version (db_version in wp_options) remained at 19470.

Installation/Update Information

To download WordPress 3.3.3, visit http://wordpress.org/download/release-archive/.

For step-by-step instructions on installing and updating WordPress:

If you are new to WordPress, we recommend that you begin with the following:

Summary

Version 3.3.3 was released at the same time as Version 3.4.1 to address security vulnerabilities affecting the 3.3 branch that were fixed in either Version 3.4 or Version 3.4.1:

  • Cross-Site Scripting: Fix persistent XSS via editable slug fields. (Also fixed in 3.4.0.)
  • Hardening: Deprecate wp_explain_nonce(), which could reveal unnecessary information. (Also fixed in 3.4.1.)
  • Hardening: Require a child theme to be activated with its intended parent only. (Also fixed in 3.4.1.)
  • Information Disclosure: Restrict some post IDs when dealing with media uploading, which could leak some info (or attach media to a post the user doesn’t have privileges to). (Also fixed in 3.4.0.)
  • Information Disclosure: Hide post excerpts when the user cannot read the whole post (e.g. a contributor can’t read someone else’s draft beyond the title). (Also fixed in 3.4.0.)
  • XSS Hardening: Escape the output of get_pagenum_link(). Note that this function was previously considered to have returned unescaped data, so this was not a vulnerability, but an enhancement. (Also fixed in 3.4.0.)
  • CSRF Hardening: Prevent unfiltered HTML in comments when there is potential for clickjacking (i.e. when the front-end of the site is loaded in a frame). (Also fixed in 3.4.0.)

For the complete list of changesets: http://core.trac.wordpress.org/log/branches/3.3?rev=21147&stop_rev=21082&verbose=on

List of Files Revised

wp-includes/default-filters.php
wp-includes/version.php
wp-includes/functions.php
wp-includes/link-template.php
wp-includes/capabilities.php
readme.html
wp-admin/includes/class-wp-posts-list-table.php
wp-admin/includes/class-wp-upgrader.php
wp-admin/includes/update-core.php
wp-admin/includes/class-wp-themes-list-table.php
wp-admin/media-upload.php
wp-admin/about.php
wp-admin/themes.php
See also: other WordPress Versions.