WordPress 4.2.1 Released to Patch Comment Exploit Vulnerability

photo credit: Will Montague - cc
photo credit: Will Montaguecc

This morning we reported on an XSS vulnerability in WordPress 4.2, 4.1.2, 4.1.1, and 3.9.3, which allows an attacker to compromise a site via its comments. The security team quickly patched the vulnerability and released 4.2.1 within hours of being notified.

WordPress’ official statement on the security issue:

The WordPress team was made aware of a XSS issue a few hours ago that we will release an update for shortly. It is a core issue, but the number of sites vulnerable is much smaller than you may think because the vast majority of WordPress-powered sites run Akismet, which blocks this attack. When the fix is tested and ready in the coming hours WordPress users will receive an auto-update and should be safe and protected even if they don’t use Akismet.

That auto-update is now being rolled out to sites where updates have not been disabled. If you are unsure of whether or not your site can perform automatic background updates, Gary Pendergast linked to the Background Update Tester plugin in the security release. This is a core-supported plugin that will check your site for background update compatibility and explain any issues.

Since Akismet is active on more than a million websites, the number of affected users that were not protected is much smaller than it might have been otherwise.

WordPress 4.2.1 is a critical security release for a widely publicized vulnerability that you do not want to ignore. Users are advised to update immediately. The background update may already have hit your site. If not, you can update manually by navigating to Dashboard → Updates.

20 Comments


  1. Agree with @Celeste – the Tavern is the place to get WordPress info ahead of the crowd.
    Thanks Sarah

    Report


  2. Manual updates – done

    Within 5 minutes of seeing the WPT tweet.
    Went on my browser, clicked on updates and voila. Faster than the auto-updates

    Report


  3. I hope there’ll be an official response from wordpress.org to the rather disturbing paragraph in the advisory of the security researcher who discovered the vulnerability, in which he says that they simply declined to receive any communications about this vulnerability after it was discovered. It would be good to hear their side of that.

    Report


    1. I think a lot of people would like to know, however as it stands, it doesn’t seem like we’ll be getting any sort of comment on it from people in the know. A little depressing if you ask me.

      Report


      1. The official WP announcement says “A few hours ago, the WordPress team was made aware…”.

        Obviously that’s a huge discrepancy here. It will indeed by disappointing if nobody steps up to give the official side of what’s been going on.

        David

        Report


    2. The wording of that paragraph is vague and it’d be nice to have more information from both sides. Only two specific exploits are mentioned — one from November 2014, which WP patched that month with 4.0.1, and the current exploit, which was just published on Sunday and patched a day later. As I can gather, the time in between, which is the subject of the paragraph, wasn’t about WP ignoring a specific exploit, it was about them ignoring more collaboration with the researcher (until the second exploit was proven).

      Report


  4. I was auto updated and now it’s asking me to update my database, when I update my data base I get the following error: Catchable fatal error: Object of class WP_Error could not be converted to string in /home/doctorof/public_html/wp-admin/includes/upgrade.php on line 1459

    Any thoughts on how to fix it? Tried the usual methods (turning off plugins, default theme etc).

    Report


  5. The core team has been very good at responding and being transparent. I imagine that the first priority was to get the fix out.

    Report


  6. Doesn’t 4.1.4 also fix this for those who are not ready for 4.2 feature updates?

    Report


  7. This is great, but it makes me wonder how many more of these vulnerabilities are lurking about.

    Report


  8. When I go to updates it’s telling me that there are no updates available. Any thoughts on why that might be? It’s showing we’re on 4.1.2 so there should be one.

    Report


    1. My site automatically updated to 4.1.2 a few days ago, then 4.1.3 and again with 4.1.4 applied last night. When I logged in the Dashboard showed version 4.2.1 available, which I manually installed.

      Link to article about 4.1.3:
      https://wptavern.com/why-some-sites-automatically-updated-to-wordpress-4-1-3

      The downloads page was just updated to indicate that no version other than 4.2.1 is safe to use.

      https://wordpress.org/download/release-archive/

      Report


  9. Thanks for the fix, but releasing WordPress patches in short span of time is big headache for developers to make their products compatible with latest WordPress version.

    Report


    1. yep, definitely better to wait for the vulnerability to be used to hose yoiur site than having to deal with an upgrade.

      Report


  10. The db upgrade killed our site. The release notes are silent on how the DB update is part of the patch to the XSS. What is the database upgrade for on 4.2.1? We can;’t apply it to our site. Must be a plugin conflict.

    Report

Comments are closed.