A critical cross-site-scripting (XSS) vulnerability of the WordPress core engine has been announced recently. The vulnerability affects all WordPress versions including the most recent major release (4.2) and has reportedly been fixed in minor security release 4.2.1.

The 0-Day vulnerability allows hackers to gain access to core site functions (such as changing passwords, adding administrator users and altering content) and, alternatively, to execute code remotely after a piece of malicious JavaScript code is injected via the comments section. Basically, the hacker is able to post and execute the malicious piece after his first, “harmless” comment is approved by an unsuspecting site administrator.

That being said, we strongly recommend updating your WordPress scripts to the most recent version (4.2.1) as soon as possible. This version is already available for updating.

When performing the update, we recommend you follow WordPress script update instructions in the Official WordPress Codex at https://codex.wordpress.org/Upgrading_WordPress_-_Extended_Instructions.

For more information, contact any of us at EthernetGeeks – we are happy to help!