WordPress 4.2.1 Released to Patch Comment Exploit Vulnerability

photo credit: Will Montague - cc
photo credit: Will Montaguecc

This morning we reported on an XSS vulnerability in WordPress 4.2, 4.1.2, 4.1.1, and 3.9.3, which allows an attacker to compromise a site via its comments. The security team quickly patched the vulnerability and released 4.2.1 within hours of being notified.

WordPress’ official statement on the security issue:

The WordPress team was made aware of a XSS issue a few hours ago that we will release an update for shortly. It is a core issue, but the number of sites vulnerable is much smaller than you may think because the vast majority of WordPress-powered sites run Akismet, which blocks this attack. When the fix is tested and ready in the coming hours WordPress users will receive an auto-update and should be safe and protected even if they don’t use Akismet.

That auto-update is now being rolled out to sites where updates have not been disabled. If you are unsure of whether or not your site can perform automatic background updates, Gary Pendergast linked to the Background Update Tester plugin in the security release. This is a core-supported plugin that will check your site for background update compatibility and explain any issues.

Since Akismet is active on more than a million websites, the number of affected users that were not protected is much smaller than it might have been otherwise.

WordPress 4.2.1 is a critical security release for a widely publicized vulnerability that you do not want to ignore. Users are advised to update immediately. The background update may already have hit your site. If not, you can update manually by navigating to Dashboard → Updates.


20 responses to “WordPress 4.2.1 Released to Patch Comment Exploit Vulnerability”

  1. Manual updates – done

    Within 5 minutes of seeing the WPT tweet.
    Went on my browser, clicked on updates and voila. Faster than the auto-updates

  2. I hope there’ll be an official response from wordpress.org to the rather disturbing paragraph in the advisory of the security researcher who discovered the vulnerability, in which he says that they simply declined to receive any communications about this vulnerability after it was discovered. It would be good to hear their side of that.

    • The wording of that paragraph is vague and it’d be nice to have more information from both sides. Only two specific exploits are mentioned — one from November 2014, which WP patched that month with 4.0.1, and the current exploit, which was just published on Sunday and patched a day later. As I can gather, the time in between, which is the subject of the paragraph, wasn’t about WP ignoring a specific exploit, it was about them ignoring more collaboration with the researcher (until the second exploit was proven).

  3. I was auto updated and now it’s asking me to update my database, when I update my data base I get the following error: Catchable fatal error: Object of class WP_Error could not be converted to string in /home/doctorof/public_html/wp-admin/includes/upgrade.php on line 1459

    Any thoughts on how to fix it? Tried the usual methods (turning off plugins, default theme etc).

  4. The core team has been very good at responding and being transparent. I imagine that the first priority was to get the fix out.

  5. This is great, but it makes me wonder how many more of these vulnerabilities are lurking about.

  6. When I go to updates it’s telling me that there are no updates available. Any thoughts on why that might be? It’s showing we’re on 4.1.2 so there should be one.

  7. Thanks for the fix, but releasing WordPress patches in short span of time is big headache for developers to make their products compatible with latest WordPress version.

  8. The db upgrade killed our site. The release notes are silent on how the DB update is part of the patch to the XSS. What is the database upgrade for on 4.2.1? We can;’t apply it to our site. Must be a plugin conflict.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: