The WordPress.org team has released version 4.6.1 of the WordPress CMS, which fixes 2 security issues and 15 bugs related to the application's regular functions.

The WordPress team recommends that site administrators update their installations as soon as possible, WP 4.6.1 being considered a security release.

The first of the two security-related issues fixed in this version is a path traversal vulnerability discovered by one of the engineers in the WordPress security team, Dominik Schilling.

The second was unveiled by an independent security researcher, who reported a cross-site scripting (XSS) vulnerability in the admin panel that can be exploited via the image file name field.

Summer of Pwnage event yields more bugfixes

The researcher's name is Cengiz Han Sahin, and he works for Securify, a Dutch security company, and is a participant in the Summer of Pwnage (SumOfPwn) event that took place in Amsterdam over the course of the entire month of July.

Many security researchers with different levels of expertise participated in a joint bug hunting session that took aim at discovering security issues in WordPress and its most popular plugins.

The bug hunting camp yielded reports for over 120 security issues. Among the most impactful were issues in two WordPress plugins deployed on millions of sites: All in One SEO and WooCommerce.

Both are persistent XSS issues. Sahin is also the researcher who discovered the XSS issue affecting the WooCommerce plugin, which, just like the XSS bug fixed in the WordPress core, can be exploited via image metadata and lead to a full takeover of the affected website.

Sahin told Softpedia today in a tweet that he got the idea to test the built-in WordPress image metadata handling functions after we asked him during an interview for the WooCommerce bug if those functions were vulnerable in the same way the WooCommerce functions were.

The other 15 bugs fixed in WordPress 4.6.1 are related to the underlying CMS codebase and are not considered security issues.

Administrators can update their WordPress installation using the built-in (auto-)update functionality that can be found in the site's backend in the Dashboard >> Updates section.