Download WordPress 4.2.1 critical security release. WordPress 4.2.1 fixes a critical cross-site scripting (XSS) vulnerability, which could enable commenters to compromise a site.
This is a critical security release for all previous versions and WordPress strongly encourage everyone using WordPress to update your sites immediately.
Vulnerability
The vulnerability was discovered by Jouko Pynnönen.
An overview from Jouko’s website.
Current versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in WordPress comments. The script is triggered when the comment is viewed.
If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.
Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.
Solution
- To prevent exploitation, administrators should disable comments (Dashboard, Settings/Discussion, select as restrictive options as possible). Do not approve any comments.
- Download WordPress 4.2.1
- Go to your Dashboard → Updates and simply click “Update Now”.
Sources: WordPress 4.2.1, Jouko Pynnönen