WordPress 4.2.2 addresses 2 critical security issues

WordPress 4.2.2 has just been announced. It addresses a number security issues in all previous releases, of which, these 2 security issues were deemed most serious by the WordPress team:

  • The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. (Reported by Robert Abela of Netsparker.)
  • WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue. (Reported separately by Rice Adu and Tong Shi.)

The WordPress 4.2.2 release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor.

Earlier version of WordPress were also updated:
– WordPress 3.8.8
– WordPress 3.9.6
– WordPress 4.0.5
– WordPress 4.1.5

Recommended upgrade path is to upgrade to version 4.2.2 – but if you have a number of legacy plugins or theme, then you might want to be extra cautious in case the latest version is not compatible with your plugins and/or themes.

For more details – visit the official WordPress Blog News