WordPress 4.2.4 Fixes Three XSS Vulnerabilities and One Potential SQL Injection


Six WordPress security bugs fixed in version 4.2.4

WordPress, the darling CMS of the open source community, has released moments ago version 4.2.4, which contains lots of security fixes addressing a wide range of issues.

Ten bugs have been fixed with this release, six of them being security-related, and quite dangerous if left unattended.

password-704252_640Three bugs were discovered relating to cross-site scripting (XSS) vulnerabilities, and one more as a potential SQL injection that could easily expose a compromised site to attackers.

These four bugs were reported by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov, member in the HackerOne bug hunting program.

Additionally, Mohamed A. Baset also discovered an issue that allowed attackers to lock posts indefinitely, preventing future edits to the site’s blog content.

Last but not least, Johannes Schmitt of Scrutinizer found a timing side-channel attack vector point which would allow attackers to analyze the time it took cryptographic algorithms to execute their routines.

To upgrade your WordPress installation, just go to the backend panel, in the Dashboard -> Updates section, and press the “Update Now” button.

If your site holds sensitive information, don’t forget to make a backup before triggering the update.