Menu
WordPress fixes actively exploited flaw

WordPress fixes actively exploited flaw

WordPress 4.2.2 addresses two critical XSS flaws and hardens defenses for a third

A new WordPress version released Thursday fixes two critical cross-site scripting (XSS) vulnerabilities that could allow attackers to compromise websites.

One of the flaws is located in the Genericons icon font package that is used by several popular themes and plug-ins, including the default TwentyFifteen WordPress theme.

Researchers from Web security firm Sucuri warned Wednesday that they've already seen attacks targeting this XSS vulnerability.

To exploit it, attackers need to trick users to click on specifically crafted links, but once they do that, they can leverage the flaw to steal authentication cookies. If the victim is a website's administrator, they could gain full control over that website.

The vulnerability can be mitigated by removing the example.html file that is part of the Genericons package or by upgrading to the newly released WordPress 4.2.2.

"All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file," the WordPress developers said in the release announcement.

Once installed, WordPress 4.2.2 scans the site's directory for the vulnerable HTML file and removes all instances of it.

In addition, the new version patches a second critical cross-site scripting flaw which, according to the WordPress developers, could let anonymous users compromise a site. It also hardens defenses for a potential XSS issue in the visual editor.


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags patchessecuritySucuriWordpressExploits / vulnerabilities

Featured

Slideshows

Sizing up the NZ security spectrum - Where's the channel sweet spot?

Sizing up the NZ security spectrum - Where's the channel sweet spot?

From new extortion schemes, outside threats and rising cyber attacks, the art of securing the enterprise has seldom been so complex or challenging. With distance no longer a viable defence, Kiwi businesses are fighting to stay ahead of the security curve. In total, 28 per cent of local businesses faced a cyber attack last year, with the number in New Zealand set to rise in 2017. Yet amidst the sensationalism, media headlines and ongoing high profile breaches, confusion floods the channel, as partners seek strategic methods to combat rising sophistication from attackers. In sizing up the security spectrum, this Reseller News roundtable - in association with F5 Networks, Kaspersky Lab, Tech Data, Sophos and SonicWall - assessed where the channel sweet spot is within the New Zealand channel. Photos by Maria Stefina.

Sizing up the NZ security spectrum - Where's the channel sweet spot?
Show Comments