This information is intended for U-M IT staff who are responsible for a website that uses the WordPress content management system.
A critical vulnerability in the WordPress content management system could allow commenters to compromise a website. A patch is now available that fixes a cross-site scripting (XSS) vulnerability. WordPress.org recommends updating all sites immediately. Sites that support background updates will be automatically updated. Sites that do not have comments enabled are unaffected.
Sites using the WordPress content management system version 4.2 and older, and that have comments enabled.
- Disable comments if your site does not need them.
- Update to WordPress version 4.2.1 using one of the following methods:
- If your site supports background updates, it will be updated automatically.
- Update manually by visiting your site and clicking Dashboard, then Updates, then Update Now.
- Download WordPress version 4.2.1 by visiting Download WordPress.
Proof of concept exploit code is currently available. Widespread exploitation is possible in the near future.
- WordPress 4.2.1 Security Release (WordPress.org)
- Just-released WordPress 0day makes it easy to hijack millions of websites [Updated] (Ars Technica)
- WordPress 4.2 Stored XSS (Klikki)
- Hardening WordPress (WordPress.org)