If so, it’s time to ensure that you are updating to the latest version.
The WordPress guys have just released version 4.2.3, which they describe as a security and maintenance release for all previous WordPress versions:
WordPress versions 4.2.2 and earlier are affected by a critical cross-site scripting vulnerability, which could allow anonymous users to compromise a site. This was reported by Jon Cave of the WordPress Security Team, and fixed by Robert Chapin.
We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.
According to reports, the security issue is in how shortcodes are used in HTML attributes – and could enable maliciously-crafted shortcodes to bypass WordPress’s kses code which is designed to strip bad stuff out of HTML, by tricking it into thinking the code is valid.
Managed WordPress service WP Engine, who I use to run this website, describes the potential consequences of the vulnerability:
But, of course, there will always be those who don’t have automatic updates enabled and may miss the news. :(
Updating WordPress is pretty easy. You just go to Dashboard → Updates and click “Update Now.”
Of course, it’s always good practice to test a new version of the software on a non-live version of your site first – if you have that capability – just in case.
Note: Sites running self-hosted versions of WordPress from WordPress.org are different from the many millions of blogs which run on WordPress.com. WordPress.com, run by Automattic, manages the installation of WordPress for you, and looks after security on your behalf.
Although there are some limitations on what website owners can do on WordPress.com, they can always be sure that they are running the latest version of WordPress.
Don’t worry if you find the names confusing. Everyone finds the names confusing. It’s kinda crazy.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.