WP security

WordPress 4.2. Is it safer?

Security breaches to WP have been for the most part related to plugins. However, this week a Finnish researcher has disclosed some details on a zero-day vulnerability he discovered in the WordPress 4.2 and earlier core engine that could lead to remote code execution on the webserver.

The vulnerability, present in WordPress version 4.2 and below,  could allow an attacker to inject JavaScript in the WordPress comment field.  The comment has to be at least 66,000 characters long and it will be triggered when the comment is viewed.  This data is truncated as it is written to the database, breaking safety checks that are supposed to filter out malicious code when the comment is displayed to visitors. Accroding to the researcher: “During this time all WordPress servers using default comment settings have been quite easily hackable,” he said. “Now it turns out they still didn’t get it right. It looks like the risk for WordPress users may be smaller and patches faster with full disclosure.”  On Monday, the company issued a “critical” security update, WordPress 4.2.1.

April has been an intense month with updates launching weekly to patch vulnerabilites found on some of the most popular WP plugins. If is key to keep up with update to reduce risks of an attack. Also keep a solid daily backup and restore platform in place.

If you have any questions on how to patch this issue or other WP related security questions please contact us to review your site.