WordPress 4.2.3 released, fixing critical security hole. Update!

WordPressDo you, or your business, run a self-hosted WordPress site?

If so, it's time to ensure that you are updating to the latest version.

The WordPress guys have just released version 4.2.3, which they describe as a security and maintenance release for all previous WordPress versions:

WordPress versions 4.2.2 and earlier are affected by a critical cross-site scripting vulnerability, which could allow anonymous users to compromise a site. This was reported by Jon Cave of the WordPress Security Team, and fixed by Robert Chapin.

We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.

According to reports, the security issue is in how shortcodes are used in HTML attributes - and could enable maliciously-crafted shortcodes to bypass WordPress's kses code which is designed to strip bad stuff out of HTML, by tricking it into thinking the code is valid.

Managed WordPress service WP Engine, who I use to run this website, describes the potential consequences of the vulnerability:

This vulnerability may allow users without the unfiltered_html capability, but with publishing rights, to run JavaScript code on the front end of the website. This security update ensures all shortcodes inside attributes are evaluated and then run both through kses separately and escaped for use in attributes.

XSSSince WordPress 3.7 was released in October 2013, the software has come with the option of automatic security updates - hopefully ensuring that many site admins won't have to worry so much about whether they have kept their software updated or not.

But, of course, there will always be those who don't have automatic updates enabled and may miss the news. :(

Updating WordPress is pretty easy. You just go to DashboardUpdates and click "Update Now."

Of course, it's always good practice to test a new version of the software on a non-live version of your site first - if you have that capability - just in case.

Note: Sites running self-hosted versions of WordPress from WordPress.org are different from the many millions of blogs which run on WordPress.com. WordPress.com, run by Automattic, manages the installation of WordPress for you, and looks after security on your behalf.

Although there are some limitations on what website owners can do on WordPress.com, they can always be sure that they are running the latest version of WordPress.

Don't worry if you find the names confusing. Everyone finds the names confusing. It's kinda crazy.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

4 Responses

  1. StewGreen

    July 27, 2015 at 7:52 am #

    Graham just got this news
    The automatic Update screwed up so There’s a huge problem with thousands of sites running with WordPress.
    Sarah Gooding best describes the WordPress situation:

    “WordPress 4.2.3, a critical security release, was automatically pushed out to users yesterday to fix an XSS vulnerability. Shortly afterwards, the WordPress.org support forums were flooded with reports of websites broken by the update. […]

    warning that very link crashes my chrome browser
    http://wptavern.com/plugin-developers-demand-a-better-security-release-process-after-wordpress-4-2-3-breaks-thousands-of-websites

  2. StewGreen

    July 27, 2015 at 8:13 am #

    here's an example
    "Dave Navarro, Jr. 5:55 am on July 24, 2015 Permalink | Log in to Reply
    \\ may affect “some” usecases… //

    LOL! How about, you broke half the internet without so much as a “howdy do”.
    And if it worked before, why exactly can’t it work now? I am still not understanding why it had to change. WordPress itself was not intended for many of its uses today, are you going to start forcing people back into blogging? Designers/developers made better use of it than you intended and you don’t like that?"
    from https://make.wordpress.org/core/2015/07/23/changes-to-the-shortcode-api/

  3. StewGreen

    July 27, 2015 at 8:34 am #

    ah yes here is an explanation page
    And If you wordpress was effected "A (beta) fix is available. Please go to your Toolset account "
    "The latest WordPress upgrade to 4.2.3 packed some last-minute changes related to a security hole on the shortcode parser. Unfortunately, these changes also break every shortcode that has HTML attributes. Many sites are affected by this change."
    https://wp-types.com/2015/07/wordpress-4-2-3-fixes-a-security-problem-but-breaks-sites-with-shortcodes/

  4. Fahad Rafiq

    August 11, 2015 at 2:37 pm #

    Occasionally WordPress core updates might break your website that happens because the author of the plugins or themes may not be aware of the upcoming updates as we saw in WordPress 4.2.3 release. If you are handling multiple WordPress clients and want to be safe before upgrading then you can
    1- turn off the automatic core updates
    2- take a backup of your site
    3- Upgrade and check, if something is out of order then you can revert back for the time being.
    Details: http://www.cloudways.com/blog/wordpress-4-2-3-security-update-fixes/

Leave a Reply