Wordpress has released yet another update, this time patching three active and exploitable Cross-Site-Scripting (XSS) flaws, a potential SQL injection flaw alongside six other security-related issues, leaving millions of domains vulnerable to be hijacked.
In a security advisory posted on Wordpress.org, the company urges everyone to “update their sites immediately.”
Three of the bugs discovered are related to XSS vulnerabilities while one additional vulnerability exposed the site to a potential SQL injection flaw.
The four other bugs patched were reported by Sucuri’s Marc-Alexandre, Helen Hou-Sandi of the Wordpress security team, Netanel Rubin of Check Point and Ivan Grigorox, an active researcher in the HackerOne bug bounty program.
In addition, researcher Mohamed A. Baset disclosed a Wordpress flaw that allows attackers to lock targeted posts indefinitely, preventing the owner from being able to make future edits to the active content. Content would be locked from the site owner and authors trying to update the post.
The last bug disclosed was a timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, allowing potential attackers to analyze the time it took cryptographic algorithms to execute their tasks.
Wordpress is no stranger to cross-site scripting attacks, in just the past few months the company has issued a number of security patches, patching several XSS flaws, and even one comment flaw that could expose the admin password. The security team over at Wordpress has been working relentlessly to patch the never-ending waterfall of vulnerabilities, to say the least.
If you manage or operate a Wordpress site we urge you to upgrade your site to the latest Wordpress 4.2.4 patch, by going to Dashboard > Update and clicking the Update Now button. Wordpress’s latest release only patches critical security flaws, meaning any custom changes made to the backend, themes and plugins should remain unaffected.