LONDON: WordPress has launched a fix for a critical security issue that has reportedly been actively exploited by attackers. WordPress’ Samuel Sidler urged all WordPress users to upgrade to version 4.2.2, which he said is a “critical security release for all previous versions.”
“WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue,” Sidler said in a blog post.
He said Version 4.2.2 addresses two security issues:
– an HTML file in the Genericons icon font package, which is vulnerable to a cross-site scripting attack. All affected themes and plugins on WordPress.org, including the Twenty Fifteen default theme, have been updated to address this issue.
– hardening for a potential cross-site scripting vulnerability when using the visual editor.
Sidler said WordPress 4.2.2 also has fixes for 13 bugs from 4.2.
A separate report on PC World said attackers could compromise unpatched sites by tricking users into clicking on malicious links, and steal authentication cookies.
