Upgrade to WordPress Version 4.2.1
Security alert: Why you should update your version of WordPress ASAP
If you are running an older version of WordPress than 4.2.1, your website security may be at risk. A Finnish security researcher has published a zero-day XSS vulnerability in the WordPress core engine that can perform:
- WordPress administrator actions (adding, modifying, removing WP accounts/passwords, etc.) and
- arbitrary code execution using plugin and theme editors on the host OS running a WordPress installation under version 4.2.1. The attack vector is the WP comment functionality.
A proof of concept video and more information can be found here: http://thehackernews.com/2015/04/WordPress-vulnerability.html. The full description of the attack can be found on the researcher’s blog at: http://klikki.fi/adv/wordpress2.html.
Worth noting is an upgrade to WordPress 4.2.1 patches an unrelated SQL injection attack vector: https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/.
If you have any questions or need further assistance, please contact Alex Podabas, Senior Information Security Analyst, at firstname.lastname@example.org.