Lots of updates in the last few weeks and most are critical security updates


Once again, WordPress has released a new update.  We are now up to Version 4.2.2 and once again this is a critical security update released to patch cross-site scripting  vulnerabilities.  The cross-site scripting vulnerability was contained in an HTML file shipped with recent Genericons packages included in the Twenty Fifteen theme as well as a number of popular plugins.  That being said, you are probably going to see a lot of updates to your installed plugins as well.

Here is the announcement posted on the WordPress site:

WordPress 4.2.2 Security and Maintenance Release

Posted May 7, 2015 by Samuel Sidler. Filed under Releases, Security.

WordPress 4.2.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

Version 4.2.2 addresses two security issues:

  • The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.
  • WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue. Reported separately by Rice Adu and Tong Shi from Baidu[X-team].

The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor. This issue was reported by Mahadev Subedi.”