WordPress 4.1.2 is a Critical Security Release, Immediate Update Recommended

WordPress 4.1.2 is available and is a critical security update for all previous versions of WordPress. The release has eight security fixes, one of which is high risk, three are medium-low risk, and the last four added to harden WordPress. This is the first major security update to WordPress core since WordPress 4.0.1 released in late 2014. Three of the security issues addressed include:

  • In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
  • In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
  • Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.

The team is aware of two update prompts being shown and is expected behavior. Users are encouraged to click the colored update button. The color of the button will be different depending upon the admin color scheme you use.

Red Update Button
Red Update Button

WordPress 4.1.2 is not affiliated with the cross site scripting vulnerability discovered in a number of plugins reported yesterday. You’re encouraged to update as soon as possible if you’ve disabled automatic updates for point releases. Auto updates are being pushed out, but if you don’t want to wait, you can manually update WordPress by browsing to Dashboard – Updates.

8 Comments


  1. Cool, just discovered that I can change color scheme for admin with one click :) That red color is nice, have to set all sites now for this ;)
    Interesting is why there are two “update” buttons …

    Report


  2. 12 sites all updated in under 5 minutes (manually, I don’t do auto-updates). I like WordPress.

    also updating 3 plugins that all those sites have and still kept it under 5 minutes. :-)

    Report


      1. Peter,

        How would you like that? Puppets comedy video? slides? carrier pigeon note? sock puppet video? other?

        Report


  3. Hi Jeff,

    Thanks for the update. I think preventing the SQL injection vulnerability is a key update for WordPress. We saw a few months back one of the most popular plugins – Contact Form 7 go down because of vulnerabilities to do with this. I’m really pleased to see there is a new update which addresses issues like this.

    Report

Comments are closed.