Well-known blogging service WordPress has issued a critical security release to fix a vulnerability that could have compromised millions of websites. “WordPress versions 4.2.2 and earlier are affected by a critical cross-site scripting vulnerability, which could allow anonymous users to compromise a site,” said Gary Pendergust in a blog post. Cross-site scripting is vulnerabilities in the code of Web applications that opens up the website to attacks. It’s one of the most common conduits used by hackers.
When there are vulnerabilities in the code, hackers can embed malicious HTML, JavaScript and other code to “fool” users into executing a script on their computers. By doing this, the hacker can then collect your data, including cookies stored on your machine. The problem was reportedly privately by Jon Cave and resolved by Robert Chapin, both of whom are members of the WordPress Security Team.
In addressing this vulnerability issue, the blogging service has also taken the opportunity to do a little maintenance and take care of some bugs. One of the bigger issues addressed in the update deals with fixing a problem where it was possible for a user with Subscriber permissions to to create a draft through Quick Draft. WordPress also addressed 20 other smaller bug fixes through the update.
Users are being encouraged to go ahead and update to version 4.2.3 and take full advantage of the changes and security fixes. WordPress did an excellent job of keeping things under wraps until the problem was resolved – and it was resolved swiftly. There’s a link provided by WordPress in their blog post for updating to 4.2.3 and we highly recommend getting that taken care of.