WordPress 4.2.4 released, fixing critical security holes. Update immediately!

If you, or your business, run a self-hosted WordPress site then it’s time to update.

It’s only been a couple of weeks since the last security update for WordPress, but already new vulnerabilities have been found which could be exploited by malicious hackers to compromise your website.

In an advisory posted on WordPress.org, users were advised to “update their sites immediately”.

Here is the skinny from the advisory:

This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset.

The good news is that WordPress comes with the option of automatic security updates – hopefully meaning that less sites will be left unpatched than would have been the case in the bad old days (two years ago).

But, it is inevitable that some sites aren’t using automatic updates for their own reasons, and may miss the news of this latest security release.

Fortunately, updating WordPress manually is easy. You just go to Dashboard → Updates and click “Update Now.”

I do recommend, however, testing a new version of WordPress on a non-live version of your site before rolling out to the world – just in case any conflicts or problems arise.

Note: Sites running self-hosted versions of WordPress from WordPress.org are different from the many millions of blogs which run on WordPress.com. WordPress.com, run by Automattic, manages the installation of WordPress for you, and looks after security on your behalf.

Although there are some limitations on what website owners can do on WordPress.com, they can always be sure that they are running the latest version of WordPress.

Yes, just about everybody finds the names confusing.

Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.