Critical cross-site-scripting (XSS) vulnerability of the WP core engine

  • Unknown's avatar
    vierge · Member ·

    I received the following email from the team at namecheap.com:

    IMPORTANT: WordPress 0-Day Vulnerability

    Dear Client,

    This is an urgent security notification concerning those who have sites built on the WordPress platform.

    A critical cross-site-scripting (XSS) vulnerability of the WordPress core engine has been announced recently. The vulnerability affects all WordPress versions including the most recent major release (4.2) and has reportedly been fixed in minor security release 4.2.1.

    The 0-Day vulnerability allows hackers to gain access to core site functions (such as changing passwords, adding administrator users and altering content) and, alternatively, to execute code remotely after a piece of malicious JavaScript code is injected via the comments section. Basically, the hacker is able to post and execute the malicious piece after his first, “harmless” comment is approved by an unsuspecting site administrator.

    That being said, we strongly recommend updating your WordPress scripts to the most recent version (4.2.1) as soon as possible. This version is already available for automatic update via Softaculous Auto Installer, which is present by default on all our shared and reseller hosting servers and can be accessed through your cPanel account.

    When performing the update, we recommend you follow WordPress script update instructions in the Official WordPress Codex at https://codex.wordpress.org/Upgrading_WordPress_-_Extended_Instructions.

    In addition, we would like to remind you about general security rules, which should be followed regularly: https://www.namecheap.com/support/knowledgebase/article.aspx/9156/12/cms-security-issues-wordpress-security-and-optimization

    Best Regards,
    Namecheap Team

    The blog I need help with is: (visible only to logged in users)

  • simplysaru · Staff ·

    hi there,
    This mail is intended for people using WordPress.org (self hosted) version of WordPress. People using WordPress.com as the host don’t need to worry about this security update. The staff at WordPress.com are always ensuring that WordPress.com receives all the security updates from time to time.
    If you have another self hosted site please do follow the instructions to update your WordPress version.

    If you are not sure about the differences between WordPress.com and WordPress.org, feel free to learn more about the differences from here.

  • Unknown's avatar
    gmalamud83 · Member ·

    Hi vierge,

    This is a vulnerability that affects wordpress.org self hosted sites (if it should really affect them). On wordpress.com you shouldn’t need to worry, but change your password eitherway and check for no custom code in your blog (eg. sidebar widgets and such) if you want to be extra sure.

  • The topic ‘Critical cross-site-scripting (XSS) vulnerability of the WP core engine’ is closed to new replies.