All WordPress users urged to update after critical flaw found

The latest version of the software, a security update, is WordPress 4.2.3.

wp-stock.jpg
(Image: Ingvar Bjork/stock image)

Users of popular web-based blogging software WordPress have been urged to update after a security vulnerability was discovered.

Users on versions 4.2.2 and earlier are affected by a "critical" cross-site scripting flaw, allowing someone with "contributor" or "author" roles to take over a site. (An earlier, cached version of the blog post said "critical," which has since been taken out. We've reached out to WordPress for more on this.)

Cross-site scripting (XSS) attacks allow a hacker or malicious actor to embed malicious code in a website's code.

The flaw was found internally by members of WordPress' security team. Jouko Pynnonen, who according to an updated WordPress post is said to have also found and disclosed the flaw, added further details.

"Under default configuration, the attack requires a Contributor or Author level account. The attacker would insert specially formatted HTML containing JavaScript on a WordPress page or post. Some special configurations may allow posting or editing page content for unauthenticated users," Pynnonen wrote on his blog.

The malicious script is executed when an administrator views the page

The update also fixes a total of 20 flaws, including one where it "was possible for a user with Subscriber permissions to create a draft through Quick Draft."

Correction: WordPress initially said the flaw was found by members of its security team, but now adds it was later reported by Jouko Pynnönen.