Archives

Author: <span class="vcard">Samuel Sidler</span>

WordPress 4.4.2 Security and Maintenance Release

WordPress 4.4.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.4.1 and earlier are affected by two security issues: a possible XSS for certain local URIs, reported by Ronni Skansing; and an open redirection attack, reported by Shailesh Suthar.

Thank you to both reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.4.2 fixes 17 bugs from 4.4 and 4.4.1. For more information, see the release notes or consult the list of changes.

Download WordPress 4.4.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.4.2.

Thanks to everyone who contributed to 4.4.2:

Andrea Ferciaberengerzyla, Boone Gorges, Chandra Patel, Chris Christoff, Dion Hulse, Dominik Schilling, firebird75, Ivan Kristianto, Jennifer M. Dodd, salvoaranzulla

WordPress 4.3.1 Security and Maintenance Release

WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

This release addresses three issues, including two cross-site scripting vulnerabilities and a potential privilege escalation.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.3.1 also fixes twenty-six bugs. For more information, see the release notes or consult the list of changes.

Download WordPress 4.3.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.3.1.

Thanks to everyone who contributed to 4.3.1:

Adam Silverstein, Andrea FerciaAndrew Ozz, Boone Gorges, Brandon Kraft, chriscct7, Daisuke Takahashi, Dion Hulse, Dominik Schilling, Drew Jaynes, dustinbolton, Gary Pendergast, hauvong, James Huff, Jeremy Felt, jobst, Marin Atanasov, Nick Halsey, nikeo, Nikolay Bachiyski, Pascal Birchler, Paul Ryan, Peter Wilson, Robert Chapin, Samuel Wood, Scott Taylor, Sergey Biryukov, tmatsuur, Tracy Levesque, Umesh Nevase, vortfu, welcher, Weston Ruter

WordPress 4.2.4 Security and Maintenance Release

WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.4 also fixes four bugs. For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.4 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.4.

Already testing WordPress 4.3? The second release candidate is now available (zip) and it contains these fixes. For more on 4.3, see the RC 1 announcement post.

WordPress 4.2.2 Security and Maintenance Release

WordPress 4.2.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

Version 4.2.2 addresses two security issues:

The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor. This issue was reported by Mahadev Subedi.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.2 also contains fixes for 13 bugs from 4.2. For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.2.

Thanks to everyone who contributed to 4.2.2:

Aaron Jorbin, Andrew Ozz, Andrew Nacin, Boone Gorges, Dion Hulse, Ella Iseulde Van Dorpe, Gary Pendergast, Hinaloe, Jeremy Felt, John James Jacoby, Konstantin Kovshenin, Mike Adams, Nikolay Bachiyski, taka2, and willstedt.