WordPress rolled out the newest version of their content management system (CMS), WordPress 4.2.3, patching a critical security vulnerability that could have ultimately lead to a site compromise alongside 20 bugs, affecting the security of millions of sites across the web.
The latest WordPress version 4.2.3 resolves a critical Cross-Site Scripting (XSS) vulnerability that could allow any user with a WordPress account, even with the lowest Contributor or Author privileges, to compromise the website. WordPress has five different user rolls, including Subscriber, Contributor, Author, Editor and Administrator. All five rolls grant users with accounts a different sets of permissions.
“We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft,” Gary Pendergast of the WordPress team wrote in the WordPress 4.2.3 security release.
Cross-Site scripting is a vulnerability that lies within the web applications code, opening the website to a critical security vulnerability. The flaw has become a favorite to many cybercriminals sweeping the web.
According to WordPress, the vulnerability could potentially allow a hacker to embed maliciously-crafted HTML, Flash, JavasScript or other code into the website, circumventing the company’s kses protection by tricking users into executing the malicious script on their computer. Hackers would then in turn be able to collect users’ sensitive data, including local cookies stored on their system.
The vulnerability is currently being abused to exploit websites, however, the amount of websites compromised using the flaw is currently unknown as details regarding the vulnerability are vague.
WordPress is no stranger to cross-site scripting vulnerabilities. In just the past 4 months WordPress alongside their plugin authors have issued countless security patches, all fixing critical XSS flaws.
All versions of WordPress from their last update, WordPress 4.2.2 are plagued by this serious security vulnerability and we urge all WordPress site owners to update immediately. To update your WordPress install, go to you WordPress panel, hover over Dashboard, then click Updates and Update Now to complete your site upgrade.