WPBeginner

Beginner's Guide for WordPress

  • Blog
    • Beginners Guide
    • News
    • Opinion
    • Showcase
    • Themes
    • Tutorials
    • WordPress Plugins
  • Start Here
    • How to Start a Blog
    • Create a Website
    • Start an Online Store
    • Best Website Builder
    • Email Marketing
    • WordPress Hosting
    • Business Name Ideas
  • Deals
    • Bluehost Coupon
    • SiteGround Coupon
    • WP Engine Coupon
    • HostGator Coupon
    • Domain.com Coupon
    • Constant Contact
    • View All Deals »
  • Glossary
  • Videos
  • Products
X
☰
Beginner's Guide for WordPress / Start your WordPress Blog in minutes
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
Recommended
WordPress Plugins
View all Guides

WPBeginner» Blog» News» WordPress 4.2.1 – Security Release Fixes Zero Day XSS Vulnerability – Update Now

WordPress 4.2.1 – Security Release Fixes Zero Day XSS Vulnerability – Update Now

Last updated on April 28th, 2015 by Editorial Staff
710 Shares
Share
Tweet
Share
Pin
Free WordPress Video Tutorials on YouTube by WPBeginner
WordPress 4.2.1 – Security Release Fixes Zero Day XSS Vulnerability – Update Now

Just 3 days after the release of WordPress 4.2, a security researcher found a Zero day XSS Vulnerability that affects WordPress 4.2, 4.1.2, 4.1.1, 4.1.3, and 3.9.3. This allows an attacker to inject JavaScript into comments and hack your site. WordPress team responded fast and fixed the security issue in WordPress 4.2.1, and we strongly recommend that you update your sites immediately.

WordPress XSS Security

Jouko Pynnönen, a security researcher at Klikki Oy, who reported the issue described it as:

If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.

Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.

This particular vulnerability is similar to the one reported by Cedric Van Bockhaven which was patched in the WordPress 4.1.2 security release.

Unfortunately, they did not use proper security disclosure and instead posted the exploit publicly on their site. This means that those who do not upgrade their site will be in serious risks.

Update: We have learned, that they tried contacting WordPress security team but failed to get a timely response.

If you haven’t disabled automatic updates, then your site will automatically update.

Once again, we strongly advise that you update your site to WordPress 4.2.1. Make sure to backup your site before you update.

710 Shares
Share
Tweet
Share
Pin
Popular on WPBeginner Right Now!
  • How to Fix the Error Establishing a Database Connection in WordPress

    How to Fix the Error Establishing a Database Connection in WordPress

  • Revealed: Why Building an Email List is so Important Today (6 Reasons)

    Revealed: Why Building an Email List is so Important Today (6 Reasons)

  • Google Analytics in WordPress

    How to Install Google Analytics in WordPress for Beginners

  • How to Start Your Own Podcast (Step by Step)

    How to Start Your Own Podcast (Step by Step)

About the Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Trusted by over 1.3 million readers worldwide.

The Ultimate WordPress Toolkit

15 Comments

Leave a Reply
  1. Rajnish Tyagi says:
    May 7, 2015 at 8:57 am

    hi there,

    my site was 2 times in last week, i am using aws server, for database i am using RDS, but today my database was crashed it take 2 hours for recover, i am using the latest version of wprdress 4.2.2

    please advice me some good security tips

    Thanks
    Rajnish

    Reply
  2. Paul says:
    Apr 30, 2015 at 5:17 am

    Thanks for the post. I’ll update my sites immediately!

    Reply
  3. Mike says:
    Apr 28, 2015 at 8:15 am

    If you have Akismet running there is a good chance that the comments will get flagged as spam so do not check your spam queue.

    Reply
  4. Bernhard says:
    Apr 28, 2015 at 6:21 am

    Please take a look at http://klikki.fi/adv/wordpress2.html where it is clearly explained how they tried contacting wordpress.com and received no reply SINCE NOVEMBER 2014 (Confirmed vulnerable: WordPress 4.2, 4.1.2, 4.1.1, 3.9.3.):

    “WordPress has refused all communication attempts about our ongoing security vulnerability cases since November 2014. We have tried to reach them by email, via the national authority (CERT-FI), and via HackerOne. No answer of any kind has been received since November 20, 2014. According to our knowledge, their security response team have also refused to respond to the Finnish communications regulatory authority who has tried to coordinate resolving the issues we have reported, and to staff of HackerOne, which has tried to clarify the status our open bug tickets.”

    If that is correct, disclosing the issue was the only responsible thing to do, and sites are vulnerable not because of the disclosure, but because of the failure on the part of WordPress to address this issue for almost 6 Months.

    I understand that security is a complex issue, but please get your facts straight.

    Reply
    • WPBeginner Support says:
      Apr 28, 2015 at 7:09 pm

      Our sincerest apologies. We have updated the article.

      Reply
  5. Bilal Bin Amar says:
    Apr 28, 2015 at 3:26 am

    but after the update, my CMS(wordpress) and my Site have became very slow, under the CMS when i click in the added a plugin this is giving error

    Reply
  6. William Charles says:
    Apr 27, 2015 at 7:23 pm

    I was auto updated and now it’s asking me to update my database, when I update my data base I get the following error: Catchable fatal error: Object of class WP_Error could not be converted to string in /home/doctorof/public_html/wp-admin/includes/upgrade.php on line 1459

    Any thoughts on how to fix it? Tried the usual methods (turning off plugins, default theme etc).

    Reply
    • Editorial Staff says:
      Apr 28, 2015 at 4:20 am

      Please get in touch with your hosting provider. This may be happening due to a database corrupt table. We had it happened with our site List25, and our host was able to fix it right away.

      Reply
    • kunwar says:
      May 3, 2015 at 5:20 pm

      Just visit your admin login page /wp-admin and then press the update database button, this should fix the issue.

      Reply
  7. pmisun says:
    Apr 27, 2015 at 7:20 pm

    After the auto update applied it totally messed up our instances and we got no server responses. Investigating for 6 hours now, with no positive results. Server is fine, ip providers / isps are fine…

    Reply
  8. raja babu says:
    Apr 27, 2015 at 6:03 pm

    i want to know how can i secure my site , how can i stop auto update of site??? please help me

    Reply
    • WPBeginner Support says:
      Apr 27, 2015 at 7:21 pm

      It is highly recommended that you update your WordPress site as soon as there is a new update is available. Not doing so makes your site vulnerable. However, if for some reason you want to update manually, then you can disable automatic updates in WordPress

      Reply
  9. Elaine Maul says:
    Apr 27, 2015 at 4:43 pm

    Thank you for the alert! Although I have automatic updates set, it hadn’t got round to doing it yet for some reason, so I have actioned it myself :)
    Thank you :)

    Reply
  10. ha manh bui says:
    Apr 27, 2015 at 3:10 pm

    How can i know if my site http://homelytips.com/ is effecte, it just auto update itself to 4.1.4

    Reply
    • Editorial Staff says:
      Apr 27, 2015 at 4:00 pm

      The auto update is done by the WordPress team if you didn’t disable them.

      4.1.4 also fixes the issue.

      Reply

Leave a Reply Cancel reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

Over 1,320,000+ Readers

Get fresh content from WPBeginner

Featured WordPress Plugin
Smash Balloon
Smash Balloon
Add Custom Social Media Feeds in WordPress. Learn More »
How to Start a Blog How to Start a Blog
I need help with ...
Starting a
Blog
WordPress
Performance
WordPress
Security
WordPress
SEO
WordPress
Errors
Building an
Online Store
Useful WordPress Guides
    • 7 Best WordPress Backup Plugins Compared (Pros and Cons)
    • How to Fix the Error Establishing a Database Connection in WordPress
    • Why You Need a CDN for your WordPress Blog? [Infographic]
    • 30 Legit Ways to Make Money Online Blogging with WordPress
    • Self Hosted WordPress.org vs. Free WordPress.com [Infograph]
    • Free Recording: WordPress Workshop for Beginners
    • 24 Must Have WordPress Plugins for Business Websites
    • How to Properly Move Your Blog from WordPress.com to WordPress.org
    • 5 Best Contact Form Plugins for WordPress Compared
    • Which is the Best WordPress Popup Plugin? (Comparison)
    • Best WooCommerce Hosting in 2021 (Comparison)
    • How to Fix the Internal Server Error in WordPress
    • How to Install WordPress - Complete WordPress Installation Tutorial
    • Why You Should Start Building an Email List Right Away
    • How to Properly Move WordPress to a New Domain Without Losing SEO
    • How to Choose the Best WordPress Hosting for Your Website
    • How to Choose the Best Blogging Platform (Comparison)
    • WordPress Tutorials - 200+ Step by Step WordPress Tutorials
    • 5 Best WordPress Ecommerce Plugins Compared
    • 5 Best WordPress Membership Plugins (Compared)
    • 7 Best Email Marketing Services for Small Business (2021)
    • How to Choose the Best Domain Registrar (Compared)
    • The Truth About Shared WordPress Web Hosting
    • When Do You Really Need Managed WordPress Hosting?
    • 5 Best Drag and Drop WordPress Page Builders Compared
    • How to Switch from Blogger to WordPress without Losing Google Rankings
    • How to Properly Switch From Wix to WordPress (Step by Step)
    • How to Properly Move from Weebly to WordPress (Step by Step)
    • Do You Really Need a VPS? Best WordPress VPS Hosting Compared
    • How to Properly Move from Squarespace to WordPress
    • How to Register a Domain Name (+ tip to get it for FREE)
    • HostGator Review - An Honest Look at Speed & Uptime (2021)
    • SiteGround Reviews from 4464 Users & Our Experts (2021)
    • Bluehost Review from Real Users + Performance Stats (2021)
    • How Much Does It Really Cost to Build a WordPress Website?
    • How to Create an Email Newsletter the RIGHT WAY (Step by Step)
    • Free Business Name Generator (A.I Powered)
    • How to Create a Free Business Email Address in 5 Minutes (Step by Step)
    • How to Install Google Analytics in WordPress for Beginners
    • How to Move WordPress to a New Host or Server With No Downtime
    • Why is WordPress Free? What are the Costs? What is the Catch?
    • How to Make a Website in 2021 – Step by Step Guide
Deals & Coupons (view all)
LiveChat logo
LiveChat Inc Coupon
Get a 30 day free trial and 30% OFF LiveChat, one of the best live chat service providers for WordPress users.
LearnDash
LearnDash Coupon
Get the lowest price on the best learning management system (LMS) plugin for WordPress.
Featured In
About WPBeginner®

WPBeginner is a free WordPress resource site for Beginners. WPBeginner was founded in July 2009 by Syed Balkhi. The main goal of this site is to provide quality tips, tricks, hacks, and other WordPress resources that allows WordPress beginners to improve their site(s).

Join our team: We are Hiring!

Site Links
  • About Us
  • Contact Us
  • FTC Disclosure
  • Privacy Policy
  • Terms of Service
  • Free Blog Setup
  • Free Business Tools
  • Growth Fund
Our Sites
  • OptinMonster
  • MonsterInsights
  • WPForms
  • SeedProd
  • Nameboy
  • RafflePress
  • Smash Balloon
  • AIOSEO

Copyright © 2009 - 2021 WPBeginner LLC. All Rights Reserved. WPBeginner® is a registered trademark.

Managed by Awesome Motive | WordPress hosting by SiteGround | WordPress Security by Sucuri.