WordPress 4.2.3 released, fixing critical security hole. Update!

Do you, or your business, run a self-hosted WordPress site?

If so, it’s time to ensure that you are updating to the latest version.

The WordPress guys have just released version 4.2.3, which they describe as a security and maintenance release for all previous WordPress versions:

WordPress versions 4.2.2 and earlier are affected by a critical cross-site scripting vulnerability, which could allow anonymous users to compromise a site. This was reported by Jon Cave of the WordPress Security Team, and fixed by Robert Chapin.

We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.

According to reports, the security issue is in how shortcodes are used in HTML attributes – and could enable maliciously-crafted shortcodes to bypass WordPress’s kses code which is designed to strip bad stuff out of HTML, by tricking it into thinking the code is valid.

Managed WordPress service WP Engine, who I use to run this website, describes the potential consequences of the vulnerability:

This vulnerability may allow users without the unfiltered_html capability, but with publishing rights, to run JavaScript code on the front end of the website. This security update ensures all shortcodes inside attributes are evaluated and then run both through kses separately and escaped for use in attributes.

Since WordPress 3.7 was released in October 2013, the software has come with the option of automatic security updates – hopefully ensuring that many site admins won’t have to worry so much about whether they have kept their software updated or not.

But, of course, there will always be those who don’t have automatic updates enabled and may miss the news. 🙁

Updating WordPress is pretty easy. You just go to Dashboard → Updates and click “Update Now.”

Of course, it’s always good practice to test a new version of the software on a non-live version of your site first – if you have that capability – just in case.

Note: Sites running self-hosted versions of WordPress from WordPress.org are different from the many millions of blogs which run on WordPress.com. WordPress.com, run by Automattic, manages the installation of WordPress for you, and looks after security on your behalf.

Although there are some limitations on what website owners can do on WordPress.com, they can always be sure that they are running the latest version of WordPress.

Don’t worry if you find the names confusing. Everyone finds the names confusing. It’s kinda crazy.