Critical Cross-Site Scripting Vulnerability in WordPress < 4.2.2

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, July 23, 2015

Follow me on Twitter as @mattiasgeniar

WordPress 4.2.3 has just been released and fixes a critical XSS vulnerability that requires immediate patching.

The fix for this vulnerability is well hidden in commit 33360, where major portions of the shortcode functionality has been rewritten.

More specifically, the fix is in the files wp-includes/kses.php and wp-includes/shortcodes.php.

wordpress_4_2_3_xss

Feel free to browse through the patch and don’t forget to update your WordPress installations in the meantime.

If you’ve enabled the auto-update feature of WordPress, you’ll find WordPress did you a favour and auto-patched it already.

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.