Updated On April 30, 2015 - 10:26am

Upgrade to WordPress Version 4.2.1

Security alert: Why you should update your version of WordPress ASAP

If you are running an older version of WordPress than 4.2.1, your website security may be at risk. A Finnish security researcher has published a zero-day XSS vulnerability in the WordPress core engine that can perform:

  1. WordPress administrator actions (adding, modifying, removing WP accounts/passwords, etc.) and
  2. arbitrary code execution using plugin and theme editors on the host OS running a WordPress installation under version 4.2.1. The attack vector is the WP comment functionality.

A proof of concept video and more information can be found here: http://thehackernews.com/2015/04/WordPress-vulnerability.html. The full description of the attack can be found on the researcher’s blog at: http://klikki.fi/adv/wordpress2.html.

Worth noting is an upgrade to WordPress 4.2.1 patches an unrelated SQL injection attack vector: https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/.

If you have any questions or need further assistance, please contact Alex Podabas, Senior Information Security Analyst, at ampodobas@it.ucla.edu.