WordPress 4.2.4 released, fixing critical security holes. Update immediately!

Graham Cluley

WordPressIf you, or your business, run a self-hosted WordPress site then it’s time to update.

It’s only been a couple of weeks since the last security update for WordPress, but already new vulnerabilities have been found which could be exploited by malicious hackers to compromise your website.

In an advisory posted on WordPress.org, users were advised to “update their sites immediately”.

Here is the skinny from the advisory:

This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset.

The good news is that WordPress comes with the option of automatic security updates – hopefully meaning that less sites will be left unpatched than would have been the case in the bad old days (two years ago).

But, it is inevitable that some sites aren’t using automatic updates for their own reasons, and may miss the news of this latest security release.

Fortunately, updating WordPress manually is easy. You just go to Dashboard → Updates and click “Update Now.”

WordPress

I do recommend, however, testing a new version of WordPress on a non-live version of your site before rolling out to the world – just in case any conflicts or problems arise.

Note: Sites running self-hosted versions of WordPress from WordPress.org are different from the many millions of blogs which run on WordPress.com. WordPress.com, run by Automattic, manages the installation of WordPress for you, and looks after security on your behalf.

Although there are some limitations on what website owners can do on WordPress.com, they can always be sure that they are running the latest version of WordPress.

Yes, just about everybody finds the names confusing.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One Reply to “WordPress 4.2.4 released, fixing critical security holes. Update immediately!”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES