WordPress 4.2.3 released, fixing critical security hole. Update!

WordPressDo you, or your business, run a self-hosted WordPress site?

If so, it’s time to ensure that you are updating to the latest version.

The WordPress guys have just released version 4.2.3, which they describe as a security and maintenance release for all previous WordPress versions:

WordPress versions 4.2.2 and earlier are affected by a critical cross-site scripting vulnerability, which could allow anonymous users to compromise a site. This was reported by Jon Cave of the WordPress Security Team, and fixed by Robert Chapin.

Sign up to our free newsletter.
Security news, advice, and tips.

We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.

According to reports, the security issue is in how shortcodes are used in HTML attributes – and could enable maliciously-crafted shortcodes to bypass WordPress’s kses code which is designed to strip bad stuff out of HTML, by tricking it into thinking the code is valid.

Managed WordPress service WP Engine, who I use to run this website, describes the potential consequences of the vulnerability:

This vulnerability may allow users without the unfiltered_html capability, but with publishing rights, to run JavaScript code on the front end of the website. This security update ensures all shortcodes inside attributes are evaluated and then run both through kses separately and escaped for use in attributes.

XSSSince WordPress 3.7 was released in October 2013, the software has come with the option of automatic security updates – hopefully ensuring that many site admins won’t have to worry so much about whether they have kept their software updated or not.

But, of course, there will always be those who don’t have automatic updates enabled and may miss the news. :(

Updating WordPress is pretty easy. You just go to DashboardUpdates and click “Update Now.”

Of course, it’s always good practice to test a new version of the software on a non-live version of your site first – if you have that capability – just in case.

Note: Sites running self-hosted versions of WordPress from WordPress.org are different from the many millions of blogs which run on WordPress.com. WordPress.com, run by Automattic, manages the installation of WordPress for you, and looks after security on your behalf.

Although there are some limitations on what website owners can do on WordPress.com, they can always be sure that they are running the latest version of WordPress.

Don’t worry if you find the names confusing. Everyone finds the names confusing. It’s kinda crazy.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

4 comments on “WordPress 4.2.3 released, fixing critical security hole. Update!”

  1. StewGreen

    Graham just got this news
    The automatic Update screwed up so There’s a huge problem with thousands of sites running with WordPress.
    Sarah Gooding best describes the WordPress situation:

    “WordPress 4.2.3, a critical security release, was automatically pushed out to users yesterday to fix an XSS vulnerability. Shortly afterwards, the WordPress.org support forums were flooded with reports of websites broken by the update. […]

    warning that very link crashes my chrome browser
    http://wptavern.com/plugin-developers-demand-a-better-security-release-process-after-wordpress-4-2-3-breaks-thousands-of-websites

  2. StewGreen

    here's an example
    "Dave Navarro, Jr. 5:55 am on July 24, 2015 Permalink | Log in to Reply
    \\ may affect “some” usecases… //

    LOL! How about, you broke half the internet without so much as a “howdy do”.
    And if it worked before, why exactly can’t it work now? I am still not understanding why it had to change. WordPress itself was not intended for many of its uses today, are you going to start forcing people back into blogging? Designers/developers made better use of it than you intended and you don’t like that?"
    from https://make.wordpress.org/core/2015/07/23/changes-to-the-shortcode-api/

  3. StewGreen

    ah yes here is an explanation page
    And If you wordpress was effected "A (beta) fix is available. Please go to your Toolset account "
    "The latest WordPress upgrade to 4.2.3 packed some last-minute changes related to a security hole on the shortcode parser. Unfortunately, these changes also break every shortcode that has HTML attributes. Many sites are affected by this change."
    https://wp-types.com/2015/07/wordpress-4-2-3-fixes-a-security-problem-but-breaks-sites-with-shortcodes/

  4. Fahad Rafiq

    Occasionally WordPress core updates might break your website that happens because the author of the plugins or themes may not be aware of the upcoming updates as we saw in WordPress 4.2.3 release. If you are handling multiple WordPress clients and want to be safe before upgrading then you can
    1- turn off the automatic core updates
    2- take a backup of your site
    3- Upgrade and check, if something is out of order then you can revert back for the time being.
    Details: http://www.cloudways.com/blog/wordpress-4-2-3-security-update-fixes/

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.