WordPress 4.3.1 Security and Maintenance Release



Just in case you missed the notification on your WordPress admin dashboard or via email, WordPress 4.3.1 security and maintenance release was made available earlier today. I found out about the update while checking my email this morning.

WordPress 4.3.1 is a security release for all previous versions and everyone is strongly advised to upgrade ASAP. This version fixes three security issues that includes a couple of XSS (cross-site scripting) vulnerabilities and a potential privilege escalation (act of exploiting a software bug or design flaw in order to gain elevated access to resources that are normally protected from an application or user, thus allowing unauthorized actions).

  • WordPress versions 4.3 and earlier are vulnerable to a cross-site scripting vulnerability when processing shortcode tags (CVE-2015-5714). Reported by Shahar Tal and Netanel Rubin of Check Point.
  • A separate cross-site scripting vulnerability was found in the user list table. Reported by Ben Bidner of the WordPress security team.
  • Finally, in certain cases, users without proper permissions could publish private posts and make them sticky (CVE-2015-5715). Reported by Shahar Tal and Netanel Rubin of Check Point.

Aside from the issues addressed above, WordPress 4.3.1 also includes 26 bug fixes and patches. You can check out more details about it by viewing the release notes or the list of changes.

If you haven’t upgraded your WordPress installation, please do so immediately. Those who have enabled automatic updates don’t need to do anything. To update manually, you can do it by logging in to the WordPress admin dashboard and going to Dashboard > Updates then clicking on “Update Now“. Users could also do it by downloading the WordPress 4.3.1 installation zip file and uploading it via a FTP client.

Please remember that to avoid any conflicts, issues or problems with the upgrade process, make sure that you do the following: backup your WordPress database, backup the wp-content folder, wp-config.php file, .htaccess file and other custom files and then deactivate all active plugins.

I did the upgrade earlier today and everything went smoothly and haven’t noticed any issues so far running WordPress 4.3.1.

Anyone else upgraded to the WordPress 4.3.1 security and maintenance release? Did you experience any issues, conflicts or problems during the upgrade process? Please share your thoughts by leaving a comment below.

Owner and editor of JaypeeOnline. Self-proclaimed geek. New media writer and consultant. WordPress advocate. Loves blogging, gadgets, video games and sports. You can follow him on Google+, Facebook or Twitter.

10 Comments

  1. Will

    September 25, 2015 at 7:32 AM

    Relating to my earlier posts I think I may have gotten hacked. Now my site was redirecting to oxxtm.com and I found a modified wp blog header PHP file that had a one line script added.

    • JP Habaradas

      September 28, 2015 at 3:31 PM

      Really? Sorry to hear that. Have you fixed the issue already? Tried to access your site and it seems to be okay now and no longer redirecting.

      Do you have any idea how it could’ve happened? Is it from one of the recent XSS vulnerabilities on WordPress itself or one of the plugins you’re using?

      • Will

        September 29, 2015 at 8:38 AM

        Not sure how I got hacked but I figured out the redirecting. A small javascript snippet was added to the wp-blog-header php file so I removed that. It might explain why one of my directories had a different permission setting previously as well.

        • JP Habaradas

          September 29, 2015 at 12:19 PM

          Are you the only one who has access to your blog or are there other users? It’s good that your site only was redirecting to another site. The damage could’ve been worse.

          If you don’t have it yet, I suggest you install a security plugin like Wordfence. It’ll prevent and notify you of unauthorized logins, changes to your WP files, etc.

          You might also want to install a plugin that backups your WordPress database (I use WP DBManager) so that you can keep copies just in case something goes wrong.

  2. Will

    September 21, 2015 at 10:55 AM

    I eventually figured out the problem. The permissions on the wp-content folder was changed somehow. So the images and CSS could be accessed. I supposed that could happen from the upgrade as I never touched the folder permissions.

    • JP Habaradas

      September 21, 2015 at 11:35 AM

      Oh ok. Good to know that you were able to figure out the problem and fix it. It could happen during an upgrade especially if you come from an outdated version. What version of WordPress were you using prior to the upgrade?

      • Will

        September 21, 2015 at 2:47 PM

        I believe it was 4.3. I didn’t disable all the plugins but I did it manually. I have another site that upgraded automatically and it was fine. Just something to keep an eye out for as I hadn’t seen a permission change happen for no reason before!

        • JP Habaradas

          September 21, 2015 at 2:53 PM

          I see. With so many different themes, plugins and other configuration settings, it’s sometimes difficult to pinpoint the cause of these issues.

          Thanks for sharing this with us so we can also keep an eye out for the next upgrade. All the best!

  3. Will

    September 19, 2015 at 10:11 AM

    For some reason my wp-content folder permissions changed which broke my site (css and images not appearing). I also ran the wp database optimize recently. Not sure if the upgrade did that or how else it would have changed.

    • JP Habaradas

      September 20, 2015 at 11:43 PM

      Hi Will! Thanks for sharing your experience. Did you do the upgrade automatically or manually? Also, did you deactivate your plugins before the upgrade?

      Btw, is the site you’re talking about the same one as the one you provided on your comment URL? It seems that everything’s working fine already. Or are you talking about a different site?

Leave a Reply

Your email address will not be published. Required fields are marked *