Users of popular web-based blogging software WordPress have been urged to update after a security vulnerability was discovered.
Users on versions 4.2.2 and earlier are affected by a "critical" cross-site scripting flaw, allowing someone with "contributor" or "author" roles to take over a site. (An earlier, cached version of the blog post said "critical," which has since been taken out. We've reached out to WordPress for more on this.)
Cross-site scripting (XSS) attacks allow a hacker or malicious actor to embed malicious code in a website's code.
The flaw was found internally by members of WordPress' security team. Jouko Pynnonen, who according to an updated WordPress post is said to have also found and disclosed the flaw, added further details.
The malicious script is executed when an administrator views the page
The update also fixes a total of 20 flaws, including one where it "was possible for a user with Subscriber permissions to create a draft through Quick Draft."
Correction: WordPress initially said the flaw was found by members of its security team, but now adds it was later reported by Jouko Pynnönen.