It’s only been a little bit over a week since WordPress 4.2.1 Security Release was released and now we already have WordPress 4.2.2. It was just released a few minutes ago to address a couple of critical cross-site scripting (XSS) vulnerabilites. I saw the update notification on my dashboard while working on some stuff.
WordPress 4.2.2 is a critical security release for all previous versions to address 2 serious security issues:
- The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it.
- WordPress versions 4.2 and earlier are affected by an XSS vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue.
The WordPress 4.2.2 Security and Maintenance release also includes a hardening for a potential XSS vulnerability in the visual editor. Aside from that it also contains 13 bug fixes found in version 4.2 such as:
- Attachment URLs should only be forced to SSL on the front end
- Improve performance of loop detection in _get_term_children()
- Ensure unintelligible DB schemas don’t result in content loss
- Bundled Themes: Remove Genericons example.html files
- When upgrading WordPress remove genericons example.html files
All WordPress users are encouraged to immediately upgrade to WordPress 4.2.2. For those who have enabled Automatic Updates, then you’re good to go. For those who haven’t, you can do it two ways: via Dashboard > Updates > Update Now or by doing it manually by downloading WordPress 4.2.2 from WordPress.org and uploading to your server it via FTP.
It’s important to frequently monitor and keep your WordPress blogs or sites up-to-date, including the themes and plugins. Also, make it a habit to make regular backups of all your important files/folders like the .htaccess file, the wp-content folder, etc. as well as any custom files that you have.
Better safe than sorry. Update your WordPress installation ASAP!