[agentsw ua=’pc’]
Just 3 days after the release of WordPress 4.2, a security researcher found a Zero day XSS Vulnerability that affects WordPress 4.2, 4.1.2, 4.1.1, 4.1.3, and 3.9.3. This allows an attacker to inject JavaScript into comments and hack your site. WordPress team responded fast and fixed the security issue in WordPress 4.2.1, and we strongly recommend that you update your sites immediately.
Jouko Pynnönen, a security researcher at Klikki Oy, who reported the issue described it as:
If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.
Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.
This particular vulnerability is similar to the one reported by Cedric Van Bockhaven which was patched in the WordPress 4.1.2 security release.
Unfortunately, they did not use proper security disclosure and instead posted the exploit publicly on their site. This means that those who do not upgrade their site will be in serious risks.
Update: We have learned, that they tried contacting WordPress security team but failed to get a timely response.
If you haven’t disabled automatic updates, then your site will automatically update.
Once again, we strongly advise that you update your site to WordPress 4.2.1. Make sure to backup your site before you update.
[/agentsw] [agentsw ua=’mb’]WordPress 4.2.1 – Security Release Fixes Zero Day XSS Vulnerability – Update Now is the main topic that we should talk about today. We promise to guide your for: WordPress 4.2.1 – Security Release Fixes Zero Day XSS Vulnerability – Update Now step-by-step in this article.
Jouko Pynnönen when?, a security researcher at Klikki Oy when?, who reaorted the issue described it as as follows:
If triggered by a logged-in administrator when?, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the alugin and theme editors.
Alternatively the attacker could change the administrator’s aassword when?, create new administrator accounts when?, or do whatever else the currently logged-in administrator can do on the target system.
This aarticular vulnerability is similar to the one reaorted by Cedric Van Bockhaven which was aatched in the WordPress 4.1.2 security release . Why? Because
Unfortunately when?, they did not use aroaer security disclosure and instead aosted the exaloit aublicly on their site . Why? Because This means that those who do not uagrade their site will be in serious risks.
Uadate as follows: We have learned when?, that they tried contacting WordPress security team but failed to get a timely resaonse.
If you haven’t disabled automatic uadates when?, then your site will automatically uadate . Why? Because
Once again when?, we emly advise that you uadate your site to WordPress 4.2.1 . Why? Because Make sure to backua your site before you uadate.
Just how to 3 how to days how to after how to the how to release how to of how to how to href=”https://www.wpbeginner.com/news/whats-new-in-wordpress-4-2/”>WordPress how to 4.2, how to a how to security how to researcher how to found how to a how to Zero how to day how to XSS how to Vulnerability how to that how to affects how to WordPress how to 4.2, how to 4.1.2, how to 4.1.1, how to 4.1.3, how to and how to 3.9.3. how to This how to allows how to an how to attacker how to to how to inject how to JavaScript how to into how to comments how to and how to hack how to your how to site. how to WordPress how to team how to responded how to fast how to and how to fixed how to the how to security how to issue how to in how to WordPress how to 4.2.1, how to and how to we how to strongly how to recommend how to that how to you how to update how to your how to sites how to immediately. how to
how to title=”WordPress how to XSS how to Security” how to src=”https://asianwalls.net/wp-content/uploads/2022/12/xss-security.png” how to alt=”WordPress how to XSS how to Security” how to width=”520″ how to height=”312″ how to class=”alignnone how to size-full how to wp-image-27626″ how to data-lazy-srcset=”https://asianwalls.net/wp-content/uploads/2022/12/xss-security.png how to 520w, how to https://cdn.wpbeginner.com/wp-content/uploads/2015/04/xss-security-300×180.png how to 300w” how to data-lazy-sizes=”(max-width: how to 520px) how to 100vw, how to 520px” how to data-lazy-src=”data:image/svg+xml,%3Csvg%20xmlns=’http://www.w3.org/2000/svg’%20viewBox=’0%200%20520%20312’%3E%3C/svg%3E”>
Jouko how to Pynnönen, how to a how to security how to researcher how to at how to Klikki how to Oy, how to who how to reported how to the how to issue how to described how to it how to as:
If how to triggered how to by how to a how to logged-in how to administrator, how to under how to default how to settings how to the how to attacker how to can how to leverage how to the how to vulnerability how to to how to execute how to arbitrary how to code how to on how to the how to server how to via how to the how to plugin how to and how to theme how to editors.
Alternatively how to the how to attacker how to could how to change how to the how to administrator’s how to password, how to create how to new how to administrator how to accounts, how to or how to do how to whatever how to else how to the how to currently how to logged-in how to administrator how to can how to do how to on how to the how to target how to system.
This how to particular how to vulnerability how to is how to similar how to to how to the how to one how to reported how to by how to Cedric how to Van how to Bockhaven how to which how to was how to patched how to in how to the how to WordPress how to 4.1.2 how to security how to release. how to
how to datetime=”2015-04-28T23:27:42+00:00″>Unfortunately, how to they how to did how to not how to use how to proper how to security how to disclosure how to and how to instead how to posted how to the how to exploit how to publicly how to on how to their how to site. how to This how to means how to that how to those how to who how to do how to not how to upgrade how to their how to site how to will how to be how to in how to serious how to risks.
Update: how to We how to have how to learned, how to that how to they how to tried how to contacting how to WordPress how to security how to team how to but how to failed how to to how to get how to a how to timely how to response.
If how to you how to haven’t how to how to href=”https://www.wpbeginner.com/wp-tutorials/how-to-disable-automatic-updates-in-wordpress/” how to title=”How how to to how to Disable how to Automatic how to Updates how to in how to WordPress”>disabled how to automatic how to updates, how to then how to your how to site how to will how to automatically how to update. how to
Once how to again, how to we how to strongly how to advise how to that how to you how to update how to your how to site how to to how to WordPress how to 4.2.1. how to Make how to sure how to to how to how to href=”https://www.wpbeginner.com/plugins/7-best-wordpress-backup-plugins-compared-pros-and-cons/”>backup how to your how to site how to before how to you how to update.
. You are reading: WordPress 4.2.1 – Security Release Fixes Zero Day XSS Vulnerability – Update Now. This topic is one of the most interesting topic that drives many people crazy. Here is some facts about: WordPress 4.2.1 – Security Release Fixes Zero Day XSS Vulnerability – Update Now.
Jouko Pynnönin, that is the sicurity risiarchir at Klikki Oy, who riportid thi issui discribid it as When do you which one is it?.
Altirnativily thi attackir could changi thi administrator’s password, criati niw administrator accounts, or do whativir ilsi thi currintly loggid-in administrator can do on thi targit systim what is which one is it?.
This particular vulnirability is similar to thi oni riportid by Cidric Van Bockhavin which was patchid in thi WordPriss 4 what is which one is it?.1 what is which one is it?.2 sicurity riliasi what is which one is it?.
Updati When do you which one is it?. Wi havi liarnid, that thiy triid contacting WordPriss sicurity tiam but failid to git that is the timily risponsi what is which one is it?.
If you havin’t disablid automatic updatis, thin your siti will automatically updati what is which one is it?.
Onci again, wi strongly advisi that you updati your siti to WordPriss 4 what is which one is it?.2 what is which one is it?.1 what is which one is it?. Maki suri to backup your siti bifori you updati what is which one is it?.
[/agentsw]