WordPress has released a new update in an effort to improve the security of its users’ websites.
This update, which brings the content management system (CMS) to version 4.1.2, is being called a “critical security release,” meaning users shouldn’t hesitate to upgrade their sites. WordPress remains the world’s most popular CMS, powering tens of millions of websites. But like all web-building platforms, it’s susceptible to security flaws and vulnerabilities, most of which come from outdated versions. The good news is that WordPress staff members typically identify and fix vulnerabilities in a timely manner. The bad news is that such fixes only work if users update their site to the latest version.
Cedric Van Bockhaven first identified and reported a cross-site scripting vulnerability in WordPress 4.1.1 and earlier versions that would enable anonymous users to infiltrate website. While there’s been no reports of this vulnerability being used, the WordPress security team worked promptly to release a patch. The new WordPress 4.1.2 reportedly fixes this vulnerability, protecting users’ websites from the cross-site scripting vulnerability.
“WordPress 4.1.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately,” wrote Gary Pendergast on the official WordPress blog. “WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams, and Andrew Nacin of the WordPress security team.
But the recent WordPress update does more than just plug up the cross-site scripting vulnerability. According to the company’s blog, 4.1.2 also fixes an issue that made certain plugins vulnerable to SQL injection, a second cross-site scripting vulnerability (used in social engineering attacks), and a bug which allowed files with invalid names to be uploaded.
As the same time when WordPress 4.1.2 was released, dozens of plugins were also updated. WordPress developers and the security team work closely with plugin authors to ensure they are secure and up to date. WordPress even published a post revealing which plugins were affected by one or more of the vulnerabilities spotted. Of course, you probably don’t need to worry about this unless you are a plugin author.
You can update your site to WordPress 4.1.2 by either downloading and installing the new version from https://wordpress.org/download/, or clicking the “update” button in your site’s dashboard.