WordPress 4.2.3 released, fixes critical security hole. Update Now !
An important message to all the Wordpress bloggers. If so, it’s time to ensure that you are updating to the latest version.
The WordPress team have just released version 4.2.3, which they describe as a security and maintenance release for all previous WordPress Versions. This is done to fix a critical security vulnerability that could have been exploited by hackers to take over websites, affecting the security of its Millions of sites.
" WordPress versions 4.2.2 and earlier are affected by a critical cross-site scripting vulnerability, which could allow anonymous users to compromise a site. This was reported by Jon Cave of the WordPress Security Team, and fixed by Robert Chapin.
We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies."
According to reports, the security issue is on how shortcodes are used in HTML attributes – and could enable maliciously-crafted shortcodes to bypass WordPress’s kses code which is designed to strip bad stuff out of HTML, by tricking it into thinking the code is valid.
Managed WordPress service WP Engine, describes the potential consequences of the vulnerability:
Update your WordPress CMS Now!
Updating WordPress is pretty easy. You just go to Dashboard → Updates and click “Update Now.”
After the release of Wordpress 3.7 in October 2013, Wordpress comes with the option of automatic security updates, which ensures that many site admins won’t have to worry so much about whether they have kept their software updated or not. But if you have not enabled automatic updates then you need to update is ASAP !