WordPress is urging users to update their software after the company fixed a critical cross-site scripting flaw in its popular publishing platform.
WordPress yesterday released version 4.2.1 of its software to address a critical stored cross-site scripting vulnerability discovered by Jouko Pynnönen, a researcher at Finnish security firm Klikki.
"This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately," Wordpress said.
The update follows Klikki's disclosure of the bug and a proof of concept exploit for the flaw which affected WordPress 4.2 and below. According to Klikki, it published the details before a patch was released in the hope that it would force WordPress to fix the bug, claiming that its attempts to discuss the issue with the company had been ignored. Klikki said it first contacted the company to discuss the flaw in November last year, while WordPress said it was first notified on Monday.
"If the comment text is long enough, it will be truncated when inserted in the database. The MySQL TEXT type size limit is 64 kilobytes, so the comment has to be quite long," said Klikko.
"The truncation results in malformed HTML generated on the page. The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core."
The security update comes just one week after WordPress released version 4.2 'Powell' which, along with many new features, carried a security update that fixed a similar flaw reported separately by security researcher Cedric Van Bockhaven.
It's been a busy month for WordPress security. Following an FBI alert that ISIS sympathisers were targeting vulnerable WordPress plugins, security firm Sucuri last week revealed that dozens of WordPress plugins were vulnerable to a common cross-site scripting bug that was due to a single ambiguity in WordPress' official documentation.
Read more on Wordpress security
- Millions of WordPress sites at risk of hijack after zero-day released
- FBI: Expect ISIS hacks if you don't patch WordPress plugins
- Critical flaw in WordPress SEO plugin hits millions of sites