Download WordPress 4.2.1 critical security release. WordPress 4.2.1 fixes a critical cross-site scripting (XSS) vulnerability, which could enable commenters to compromise a site.
This is a critical security release for all previous versions and WordPress strongly encourage everyone using WordPress to update your sites immediately.
The vulnerability was discovered by Jouko Pynnönen.
An overview from Jouko’s website.
If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.
Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.
- To prevent exploitation, administrators should disable comments (Dashboard, Settings/Discussion, select as restrictive options as possible). Do not approve any comments.
- Download WordPress 4.2.1
- Go to your Dashboard → Updates and simply click “Update Now”.
Sources: WordPress 4.2.1, Jouko Pynnönen