If you have one or more websites running WordPress, you should check to make sure they are updated to the latest version.
Vulnerability in Version 4.1.1 and Older
Earlier this week, the WordPress security team identified a vulnerability in versions 4.1.1 and older that could be exploited by hackers to access websites. According to the security team, the security issue was attributed to a cross-site scripting vulnerability that allowed anonymous users to compromise a website. They didn’t provide any specific details on how this vulnerability works, which is a probably a good thing since you don’t want to reveal methods for potential hackers, but WordPress users should still heed the warning nonetheless.
Gary Pendergast published the following message on the WordPress blog:
“WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams, and Andrew Nacin of the WordPress security team.”
The good news is that WordPress has since fixed the cross-site scripting vulnerability, patching the issue in version 4.1.2. As long as your website is running the latest version of WordPress, it should be protected against this vulnerability.
Other fixes made in WordPress version 4.1.2 include the following:
- Fixed a security bug that allows files with invalid and/or unsafe names to be uploaded.
- Fixed a separate cross-site vulnerability that could be used as part of a hack attack involving social engineering.
- Fixed a security vulnerability that allowed hackers to perform an SQL injection with certain plugins.
A handful of plugins were also updated simultaneously when WordPress 4.1.2 was released. Of course, this won’t be the last update WordPress makes, which is why it’s recommended that you check the WordPress blog regularly. Ideally, you should update your site to the newest version as soon as it’s released; otherwise, your site could be susceptible to malicious attacks.
So, how do you update your website to the latest version of WordPress to avoid this security flaw? You have one of three options: you can download and install WordPress 4.1.2 at https://wordpress.org/download/; use one of the dozen’s of auto-update plugins available at the WordPress plugin directory; or you can login to the your website and choose Dashboard > Updates > Update Now (this option is the easiest).
Have you upgraded to the latest version of WordPress? Let us know in the comments section below!
It’s due to an unfortunate bug discovered
40 sites all updated in under 15 minutes ( manually, I don’t do auto-updates). I like WordPress.
Thanks for the update. Preventing the SQL injection vulnerability is a key update for WordPress. I’m really pleased to see there is a new update which addresses issues like this.