WordPress 4.2.4 is available and patches six security vulnerabilities. The vulnerabilities were discovered by outside parties and members of the WordPress core security team. This release also fixes four bugs:
- WPDB: When checking the encoding of strings against the database, make sure we’re only relying on the return value of strings that were sent to the database. #32279
- Don’t blindly trust the output of glob() to be an array. #33093
- Shortcodes: Handle do_shortcode('<[shortcode]') edge cases. #33116
- Shortcodes: Protect newlines inside of CDATA. #33106
It’s been a busy year for the WordPress security team. Since the beginning of the year, there has been five security releases.
Users should check their sites to make sure they’re running 4.2.4. If your site hasn’t automatically updated yet, you should perform a full backup and manually update. Sites running WordPress RC 2 are safe since it fixes the same issues as 4.2.4.