WordPress 4.2.1 Security Release Now Available

An XSS vulnerability was found in WordPress 4.2 shortly after the official release which was released just a few days ago.

The issue resulted in a quick update and critical security release. WordPress 4.2.1 is now available.

The discovery was reported by Klikki Oy. The current versions of WordPress 4.2 are vulnerable to a stored XSS.

In the article, you can read. I quote.

An unauthenticated attacker can inject JavaScript in WordPress comments. The script is triggered when the comment is viewed.

If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.

More information about the vulnerability is described by Klikki like this:

If the comment text is long enough, it will be truncated when inserted in the database. The MySQL TEXT type size limit is 64 kilobytes, so the comment has to be quite long.

The truncation results in malformed HTML generated on the page. The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core.

Here’s a video of WordPress 4.2 stored XSS attack in progress:

When the WordPress team was made aware of a cross-site scripting vulnerability the problem was quickly corrected and 4.2.1 security release began to be rolled out.

For more information, see the release notes or check out the list of changes.

If your website does not update automatically, you can update via your Dashboard → Updates simply click the “Update Now”. Or Download WordPress 4.2.1 here.

What are your thoughts about this issue?

» WordPress 4.2.1 Security Release