Daily Archives: September 15, 2015

WordPress Releases Security Updates

Earlier today, WordPress released version 4.3.1 of it’s popular self-hosted blogging tool/content management system (CMS, defined).

This update resolves 3 security issues:

The most serious issues was a cross-site scripting issue (defined) when processing shortcode tags that could allow an attacker to inject JavaScript (defined) of their choice into the page. Such JavaScript code could be used in watering-hole attacks (defined). This issue is discussed in more detail in this article.

A further cross-site scripting issue was also corrected in the user list table. The final issue addressed a permissions issue where a user could sticky private posts when they would otherwise not have the permissions/rights to do so.

Due to the severity of these issues, WordPress is advising it’s users to update immediately.

WordPress users can update their CMS manually (access your WordPress dashboard and choose Updates -> Update Now). Since version 3.7 of WordPress an automatic updater (thanks to Sophos for this useful piece of information) will install the above mentioned update in the background. Full details of this update and how to install it are available in this WordPress blog post. WordPress.com hosted blogs such as the one you are reading now automatically receive such security updates.

Thank you.