WordPress 4.2.1 – Security release fixes zero-day XSS vulnerability – Update now
Posted: Sat Jan 25, 2025 9:08 am
Just three days after the release of WordPress 4.2, a security researcher found a zero-day XSS vulnerability affecting WordPress 4.2, 4.1.2, 4.1.1, 4.1.3, and 3.9.3. This allows an attacker to inject JavaScript into comments and hack your website. The WordPress team quickly responded and fixed the security issue in WordPress 4.2.1, and we strongly recommend that you update your sites immediately.
WordPress XSS Security
Jouko Pynnönen, a security researcher at Klikki Oy who reported the issue, describes it as follows:
If triggered by a logged in administrator, the attacker can exploit the vulnerability under default settings to execute arbitrary code on the server via the plugin and theme editors.
Alternatively, the attacker could change the administrator's password, list of belize cell phone number create new administrator accounts, or do anything else that the currently logged in administrator can do on the target system.
This particular vulnerability is similar to the one reported by Cedric Van Bockhaven, which was patched in WordPress security version 4.1.2.
Unfortunately, it did not properly disclose the security flaw and instead published the vulnerability publicly on its website, meaning that those who do not update their website are at serious risk.
Update: We learned that they attempted to contact the WordPress security team but did not receive a timely response.
WordPress XSS Security
Jouko Pynnönen, a security researcher at Klikki Oy who reported the issue, describes it as follows:
If triggered by a logged in administrator, the attacker can exploit the vulnerability under default settings to execute arbitrary code on the server via the plugin and theme editors.
Alternatively, the attacker could change the administrator's password, list of belize cell phone number create new administrator accounts, or do anything else that the currently logged in administrator can do on the target system.
This particular vulnerability is similar to the one reported by Cedric Van Bockhaven, which was patched in WordPress security version 4.1.2.
Unfortunately, it did not properly disclose the security flaw and instead published the vulnerability publicly on its website, meaning that those who do not update their website are at serious risk.
Update: We learned that they attempted to contact the WordPress security team but did not receive a timely response.