Yesterday, WordPress 4.1.2 was released. This is a very important security release, which addresses a critical cross-site scripting (XSS) vulnerability, which could allow an anonymous user to compromise a WordPress site. 

The security release also addresses 3 other vulnerabilities affecting previous releases of WordPress.

  1. In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded
  2. In WordPress 3.9 and higher, a very limited XSS vulnerability could be used as part of a social engineering attack.
  3. Some plugins were vulnerable to an SQL injection attack

If you are running WordPress, you are urged to upgrade to WordPress 4.1.2. Acunetix can already detect vulnerable WordPress installations. If you are using Acunetix WVS, you will need to install the update from Help > Check for Updates. Acunetix OVS has been updated to detect the vulnerability.


Nicholas Sciberras
Principal Program Manager
As the Principal Program Manager, Nicholas is passionate about IT security and technology at large. Prior to joining Acunetix in 2012, Nicholas spent 12 years at GFI Software, where he managed the email security and anti-spam product lines, led multiple customer service teams, and provided technical training.