Wordpress issues second urgent patch in two weeks
Run your own WP instances? You know what to do
Weary Wordpress worker-bees are being asked to hit the "Update" button again.
Just a couple of weeks after an XSS vulnerability forced a July 24th call to upgrade to Wordpress 4.2.3, a handy collection of vulns mean it's time to run in version 4.2.4.
At least Wordpress has an easy upgrade mechanism. The new vulnerabilities patched in 4.2.4 include one that Check Point Software technologies rates as “critical”.
That one, CVE-2015-2213, is an SQL injection vulnerability in Wordpress Comments that lets attackers “execute arbitrary SQL commands on the affected system”.
Researcher Johannes Schmitt of Scrutinizer turned up a side-channel attack, while Mohamed Baset advised Wordpress of a bug that would have let an attacker locking a post.
So, whack the “update now” button again, Wordpress admins.
XSS has arisen a few times this year, while a vuln of a different kind made even Linux and BSD servers into zombies spaffing the world with spam. ®