WordPress 4.1.2 is available and is a critical security update for all previous versions of WordPress. The release has eight security fixes, one of which is high risk, three are medium-low risk, and the last four added to harden WordPress. This is the first major security update to WordPress core since WordPress 4.0.1 released in late 2014. Three of the security issues addressed include:
- In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
- In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
- Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.
The team is aware of two update prompts being shown and is expected behavior. Users are encouraged to click the colored update button. The color of the button will be different depending upon the admin color scheme you use.
WordPress 4.1.2 is not affiliated with the cross site scripting vulnerability discovered in a number of plugins reported yesterday. You’re encouraged to update as soon as possible if you’ve disabled automatic updates for point releases. Auto updates are being pushed out, but if you don’t want to wait, you can manually update WordPress by browsing to Dashboard – Updates.