WordPress 4.2.2 was released to address a couple of critical cross-site scripting (XSS) vulnerabilities. WordPress 4.2.2 is a critical security release for all previous versions to address 2 serious security issues:
The Genericons icons font package: This is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins on Wrodpress.org has been updated to address this issue by removing the nonessential file. To protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it.
WordPress versions 4.2 and earlier were affected by a XSS vulnerability which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue.
The WordPress 4.2.2 security and maintenance release also includes a hardening for a potential XSS vulnerability in the visual editor. Aside from that it also contains bug fixes found in version 4.2 such as:
- Attachment URLs should only be forced to SSL on the front end
- Improve performance of loop detection in_get_term_children()
- Ensure unintelligible DB schemas don’t result in content loss
- Bundled Themes: Remove Genericons example.html files
- When upgrading WordPress remove genericons example.html files
It is important to update the WordPress site to the latest version, websites that support automatic background updates are already beginning to do it, and for others, they can do it manually in the Dashboard, by clicking on “Update Now”.
Website administrators are urged to switch to the new version as soon as possible. If the action cannot be performed with utmost urgency, the security flaw can be mended by deleting the “example.html” file in the genericons folder.
Alternatively, access to this resource can be blocked via security products protecting the website. This is a powerful update for protecting the site from vulnerabilities and the update has become mandatory.
Originally posted on http://blog.heliossolutions.in/wordpress-version-4-2-2/