Wordpress issues second urgent patch in two weeks

Run your own WP instances? You know what to do

Weary Wordpress worker-bees are being asked to hit the "Update" button again.

Just a couple of weeks after an XSS vulnerability forced a July 24th call to upgrade to Wordpress 4.2.3, a handy collection of vulns mean it's time to run in version 4.2.4.

At least Wordpress has an easy upgrade mechanism. The new vulnerabilities patched in 4.2.4 include one that Check Point Software technologies rates as “critical”.

That one, CVE-2015-2213, is an SQL injection vulnerability in Wordpress Comments that lets attackers “execute arbitrary SQL commands on the affected system”.

Researcher Johannes Schmitt of Scrutinizer turned up a side-channel attack, while Mohamed Baset advised Wordpress of a bug that would have let an attacker locking a post.

So, whack the “update now” button again, Wordpress admins.

It's been an unhappy year for the highly-popular blogging platform: apart from high-profile users like Jamie Oliver being a target for attacks, popular plugins bring their own vulnerabilities.

XSS has arisen a few times this year, while a vuln of a different kind made even Linux and BSD servers into zombies spaffing the world with spam. ®




Biting the hand that feeds IT © 1998–2019