...

WordPress 4.2.1 – Security Release Fixes Zero Day XSS Vulnerability – Update Now

77

Just 3 days after the release of WordPress 4.2, a security researcher found a Zero day XSS Vulnerability that affects WordPress 4.2, 4.1.2, 4.1.1, 4.1.3, and 3.9.3. This allows an attacker to inject JavaScript into comments and hack your site. WordPress team responded fast and fixed the security issue in WordPress 4.2.1, and we strongly recommend that you update your sites immediately.

WordPress XSS Security

Jouko Pynnönen, a security researcher at Klikki Oy, who reported the issue described it as:

If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.

Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.

This particular vulnerability is similar to the one reported by Cedric Van Bockhaven which was patched in the WordPress 4.1.2 security release.

Unfortunately, they did not use proper security disclosure and instead posted the exploit publicly on their site. This means that those who do not upgrade their site will be in serious risks.

Update: We have learned, that they tried contacting WordPress security team but failed to get a timely response.

If you haven’t disabled automatic updates, then your site will automatically update.

Once again, we strongly advise that you update your site to WordPress 4.2.1. Make sure to backup your site before you update.

Seraphinite AcceleratorOptimized by Seraphinite Accelerator
Turns on site high speed to be attractive for people and search engines.