Wordpress has issued another update, two weeks after it had fixed an XSS vulnerability and released version 4.2.3.
In an official announcement, it urged all users to update their websites to version 4.2.4 immediately.
Wordpress explained that this latest security release addresses six issues that have come to light since the last update, including “three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site”.
The new update also includes a solution for a possible timing side-channel attack, which was uncovered by Johannes Schmitt of Scrutinizer.
Additionally, Wordpress 4.2.4 offers users protection against attackers attempting to lock a post from being edited, it stated.
It also contains fixes for four bugs that were found in the previous version. As documented by Wordpress in its security update release notes, these include:
- FIX - WPDB: When checking the encoding of strings against the database, make sure we're only relying on the return value of strings that were sent to the database. #32279
- FIX - Don't blindly trust the output of glob() to be an array. #33093
- FIX - Shortcodes: Handle do_shortcode('<[shortcode]') edge cases. #33116
- FIX - Shortcodes: Protect newlines inside of CDATA. #33106
Wordpress users can download the latest version by visiting its website, or via their dashboard. It added that websites that support automatic updates will already be updating to version 4.2.4.
As it has previously stated, never download or install Wordpress from any other website other than the official one. It does not release updates on any other platform.
