WordPress 4.1.2 Released

Note: All clients will be updated today!

Previous to this post, WordPress update notifications have been taking place only over at WPbyMe.com, my WordPress training site. From this update forward, notification will take place here as well.

WordPress 4.1.2 is considered a critical security release and it is strongly encouraged you update your sites immediately. This helps to patch a critical cross-site scripting vulnerability. which could enable anonymous users to compromise a site and affect 4.1.1 and earlier releases.

In addition, the following security fixes are covered with 4.1.2:

  • Files with invalid or unsafe names could be uploaded (4.1 and higher)
  • A very limited cross-site vulnerability which could be used as part of a social engineering attack (3.9 and higher)
  • Some plugins were vulnerable to an SQL injection vulnerability.

Full source and credits to those discovering the vulnerability are available at the official release announcement at WordPress.org

 

WordPress 4.1.4 and 4.2.1 Released

A vulnerability was discovered that would allow someone to leave a comment, which when approved could allow them to compromise your site. 4.1.4 (for those still not on 4.2) and 4.2.1 were released to help seal this issue by removing any malicious comments on upgrade from previous versions and ensure the comments are not too long.

What a week for WordPress. First 4.1.2 to fix a security issue, then 4.1.3 and 4.2 right on its heals. Then issues with 4.2 sites trying to update to 4.1.3 and now this. It’s been a bumpy right but rest assured, my clients sites have all been updated to the latest version as always.