Critical XSS vulnerability addressed in latest WordPress update

Yesterday, WordPress 4.1.2 was released. This is a very important security release, which addresses a critical cross-site scripting (XSS) vulnerability, which could allow an anonymous user to compromise a WordPress site. 

The security release also addresses 3 other vulnerabilities affecting previous releases of WordPress.

  1. In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded
  2. In WordPress 3.9 and higher, a very limited XSS vulnerability could be used as part of a social engineering attack.
  3. Some plugins were vulnerable to an SQL injection attack

If you are running WordPress, you are urged to upgrade to WordPress 4.1.2. Acunetix can already detect vulnerable WordPress installations. If you are using Acunetix WVS, you will need to install the update from Help > Check for Updates. Acunetix OVS has been updated to detect the vulnerability.


Share this post
  • This alone should serve as a reason to always make sure you are running the most current software version available. Even though 3.9 was only released just over a year ago, the fact that it has a vulnerability to support a social engineering attack means that it is time to upgrade! Application providers constantly update with security patches and enhancements – so it’s important end users upgrade to ensure they are running the most secure version available.

  • Leave a Reply

    Your email address will not be published.