Saturday, 25 July 2015

WordPress 4.2.3 released, fixes critical security hole. Update Now !

WordPress 4.2.3 released, fixing critical security hole. Update!

An important message to all the Wordpress bloggers. If so, it’s time to ensure that you are updating to the latest version.

The WordPress team have just released version 4.2.3, which they describe as a security and maintenance release for all previous WordPress Versions. This is done to fix a critical security vulnerability that could have been exploited by hackers to take over websites, affecting the security of its Millions of sites.
WordPress versions 4.2.2 and earlier are affected by a critical cross-site scripting vulnerability, which could allow anonymous users to compromise a site. This was reported by Jon Cave of the WordPress Security Team, and fixed by Robert Chapin.
We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies."
According to reports, the security issue is on how shortcodes are used in HTML attributes – and could enable maliciously-crafted shortcodes to bypass WordPress’s kses code which is designed to strip bad stuff out of HTML, by tricking it into thinking the code is valid.
Managed WordPress service WP Engine, describes the potential consequences of the vulnerability:
This vulnerability may allow users without the unfiltered_html capability, but with publishing rights, to run JavaScript code on the front end of the website. This security update ensures all shortcodes inside attributes are evaluated and then run both through kses separately and escaped for use in attributes. "

Update your WordPress CMS Now!

Updating WordPress is pretty easy. You just go to Dashboard → Updates and click “Update Now.”

After the release of Wordpress 3.7 in October 2013, Wordpress comes with the option of automatic security updates, which ensures that many site admins won’t have to worry so much about whether they have kept their software updated or not. But if  you have not enabled automatic updates then you need to update is ASAP !