Thursday, 7 May 2015

WordPress 4.2.2 Security Release and Genericons vulnerability

WordPress 4.2.2 has just been released which contains several important security fixes. We recommend you update immediately if you haven't already been automatically upgraded.
  • The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this non-essential file. To help protect other Genericons usage, WordPress 4.2.2 pro-actively scans the wp-content directory for this HTML file and removes it. This was reported by Robert Abela of Netsparker.
  • WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue. Reported separately by Rice Adu and Tong Shi.
  • The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor. This issue was reported by Mahadev Subedi.

The release also fixes 13 other bugs which you can learn more about on the release notes page for 4.2.2.