Critical XSS vulnerability addressed in latest WordPress update

Yesterday, WordPress 4.1.2 was released. This is a very important security release, which addresses a critical cross-site scripting (XSS) vulnerability, which could allow an anonymous user to compromise a WordPress site. 

The security release also addresses 3 other vulnerabilities affecting previous releases of WordPress.

  1. In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded
  2. In WordPress 3.9 and higher, a very limited XSS vulnerability could be used as part of a social engineering attack.
  3. Some plugins were vulnerable to an SQL injection attack

If you are running WordPress, you are urged to upgrade to WordPress 4.1.2. Acunetix can already detect vulnerable WordPress installations. If you are using Acunetix WVS, you will need to install the update from Help > Check for Updates. Acunetix OVS has been updated to detect the vulnerability.


Share this post
Nicky SciberrasNicholas Sciberras Chief Technical Officer

As the CTO at Acunetix, Nicholas is passionate about IT security and technology at large. Prior to joining Acunetix in 2012, Nicholas spent 12 years at GFI Software, where he managed the email security and anti-spam product lines, led multiple customer service teams and provided technical training.

  • This alone should serve as a reason to always make sure you are running the most current software version available. Even though 3.9 was only released just over a year ago, the fact that it has a vulnerability to support a social engineering attack means that it is time to upgrade! Application providers constantly update with security patches and enhancements – so it’s important end users upgrade to ensure they are running the most secure version available.

  • Comments are closed.