Yesterday, WordPress 4.1.2 was released. This is a very important security release, which addresses a critical cross-site scripting (XSS) vulnerability, which could allow an anonymous user to compromise a WordPress site.
The security release also addresses 3 other vulnerabilities affecting previous releases of WordPress.
- In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded
- In WordPress 3.9 and higher, a very limited XSS vulnerability could be used as part of a social engineering attack.
- Some plugins were vulnerable to an SQL injection attack
If you are running WordPress, you are urged to upgrade to WordPress 4.1.2. Acunetix can already detect vulnerable WordPress installations. If you are using Acunetix WVS, you will need to install the update from Help > Check for Updates. Acunetix OVS has been updated to detect the vulnerability.