BURN ALL BLOGS! WordPress has a critical cross-site scripting flaw
Problem lets writers do just about anything to a site, but safety is a click away
Wordpress has warned users of a “cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site” and urged all users “to update your sites immediately.” Installations that auto-upgrade should already be patched.
The patch comes in the form of WordPress 4.2.3, which fixes the XSS problem and plenty more besides. One of the newly-squished bugs is described as “an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft.”
Most of the changes to version 4.2.3 appear to be bug fixes rather than bug stompers. The release is nonetheless billed as a “security release” and the post announcing it urges its swift application.
The good news is that WordPress is marvelously easy to upgrade: merely pressing the “Update Now” button does the job on many installs. The content management system also offers automated updating, an option not often used by those who use WordPress at scale or in heavily customized configurations, but appreciated by those with basic blogs. ®