While we all waited for WordPress 4.2 should be released, a critical cross-site scripting vulnerability was discovered.
A security release was released for WordPress today. WordPress is now updated to version 4.1.2 announced Gary Pendergast on the WordPress blog.
On the WordPress blog you can read:
This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress 4.1.1 and earlier versions are affected by a critical cross-site scripting vulnerability. Which, at worst, would enable anonymous users to compromise a site. It is highly recommended you update your website to the latest version.
The discovery was made and reported from the WordPress security team by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams, and Andrew Nacin.
You can update to WordPress 4.1.2 by logging in to your Dashboard in WordPress – Updates and simply click the “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.1.2. Alternatively you can download the latest version from the WordPress website.
More security issues that have been fixed:
- In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
- In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
- Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.
- Four hardening changes, discovered by J.D. Grimes, Divyesh Prajapati, Allan Collins and Marc-Alexandre Montpas.
Several of the plugins have already been updated and adapted to work with WordPress 4.1.2. To secure your WordPress website, it’s recommended you update your website to block all security holes that otherwise could be exploited. Simply put! Update to avoid any potential vulnerability.
If you’re a plugin author, please read this post to confirm that your plugin is not affected by the same issue.