Website publishers using the popular free and open source WordPress content management system (CMS) woke up this morning to find that their sites had been upgraded to version 4.2.2. Users who’s sites somehow missed being automatically upgraded are urged to update immediately, as this update addresses several important security issues. According to Wordfence, maintainers of a popular WordPress security plugin, this release fixes one recently discovered vulnerability and further hardens a security issue that was addressed in version 4.2.1.
The most recent issue has to do with an HTML file vulnerable to a cross-site scripting attack, originally reported by Robert Abela of Netsparker. The vulnerability was in the Genericons icon font package used by some WordPress themes and plugins, including the Twenty Fifteen default theme. Today, all affected themes and plugins hosted by WordPress were also updated by removing the file, which is not essential. In addition, as a precaution version 4.2.2 automatically scans for the HTML file in the wp-content directory and removes it.
The new version also includes a comprehensive fix for a critical cross-site scripting vulnerability affecting versions 4.2 and earlier that was addressed with a quick fix in version 4.2.1. It also hardens against a potential cross-site scripting vulnerability in the visual editor. Besides addressing these vulnerabilities, the release fixes thirteen bugs. More information can be found on the WordPress 4.2.2 release notes page.
The time has come for FOSS Force to grow and offer expanded coverage of free and open source software and free tech. For this reason, we have declared the month of May to be “Pledge Month” on FOSS Force and have launched a fundraising campaign on Indiegogo. You can get all of the details on our campaign page.