Heads up to all WordPress users! In case you haven’t logged in to your dashboard or haven’t heard about it, the dev team has released WordPress 4.2.1. This version is a critical security release for all previous versions of WordPress and everyone is advised to immediately update.
The patch is for another XSS (cross site scripting) vulnerability which is similar to the one patched in the version 4.1.2 security release. Jouko Pynnönen, the person who discovered the vulnerability shares some information about it:
Current versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in WordPress comments. The script is triggered when the comment is viewed.
If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.
Alternatively, the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.
He also uploaded a video on YouTube as a proof of concept demo of the stored XSS vulnerability:
I was on the way out of the house earlier today when I received an email alert from WordPress regarding the security release. Thankfully I was able to read that email right before I left so I still had time to do the update. I just recently updated my installation to WordPress 4.2 the other day but I didn’t hesitate and immediately updated to WordPress 4.2.1 when I read about the seriousness of the vulnerability.
If you’ve enabled Automatic Updates then you don’t have to worry about it. If you disabled Automatic Updates, then you can update your WordPress installation to the latest version two ways: 1) Do it via Dashboard > Updates > Update Now or 2) Do it manually by downloading it from WordPress.org and uploading it via FTP.
In case you don’t have the ability to update your WordPress installation but have access to your dashboard, you can prevent exploitation by temporarily disabling comments on your WordPress blog or website and do not approve any comments until you’ve updated to the patched version.
Again, this is a serious and critical security release so all users are encouraged to update immediately to WordPress 4.2.1. Better safe than sorry folks!
