WordPress has been updated to version 4.2.2 after a security vulnerability has been discovered and spotted by Sucuri, one of the leading security companies with specialization in WordPress security.
Samuel Sidler announced WordPress 4.2.2 on the WordPress blog earlier today. He reported – This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.
According to Sucuri, are WordPress plugins that use Genericons vulnerable to a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with Genericons. Any theme or plugin that uses this example.html file is a potential risk if your themes or plugins utilize vector icons.
Worrying was, for example, the JetPack plugin (with over 1 million active installs) and TwentyFifteen theme (which is the default theme in WordPress) were found to be vulnerable. Both JetPack, TwentyFifteen has been updated so you need not be worried. With WordPress 4.2.2, this version proactively scans the wp-content directory for this HTML file and removes it.
What is DOM-based XSS?
For those of you who don’t know what XSS vulnerability is the OWASP group explain it as:
DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.
It’s important you update your WordPress website to the latest version. Websites that support automatic background updates are already beginning to update to WordPress 4.2.2. Otherwise, you can update manually, in your Dashboard, go to Updates and click “Update Now.” You can also download WordPress 4.2.2 here.
WordPress version 4.2.2 addresses two security issues:
- The Genericons icon font package: Which is used in many popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated by removing this non-essential file.
- Critical cross-site scripting vulnerability: WordPress versions 4.2 and earlier could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue. This version also includes hardening for a potential cross-site scripting vulnerability when using the visual editor.
If you would detect security risks or want to learn how you can report them can read in the Core Handbook – Reporting Security Vulnerabilities for the best way to report potential risks.
Who contributed to 4.2.2?
Aaron Jorbin, Andrew Ozz, Andrew Nacin, Boone Gorges, Dion Hulse, Ella Iseulde Van Dorpe, Gary Pendergast, Hinaloe, Jeremy Felt, John James Jacoby, Konstantin Kovshenin, Mike Adams, Nikolay Bachiyski, taka2, and willstedt.