The developers of the WordPress content management system (CMS) have released a security and maintenance update to address a vulnerability and dozens of non-security issues.
WordPress 4.4.1, the first update released for WordPress 4.4 “Clifford,” resolves a cross-site scripting (XSS) vulnerability that could allow malicious actors to compromise affected websites. The flaw was reported to WordPress developers by a Philippines-based independent security researcher who uses the online moniker “Crtc4L” via the HackerOne platform.
The details of the vulnerability have not been disclosed, most likely in order to give users enough time to update their installations.
Crtc4L’s HackerOne profile shows that Automattic, the company behind the free blogging service WordPress.com, awarded the researcher a bounty, but the amount has not been disclosed.
In addition to the XSS vulnerability, WordPress 4.4.1 also addresses 52 non-security bugs affecting version 4.4.
With more than 140 million downloads, WordPress is the most popular CMS on the Web, but it’s also the most attacked. It’s not uncommon for malicious actors to exploit vulnerabilities in both WordPress itself and various plugins.
In August, security firm Zscaler reported that thousands of WordPress websites had been compromised and abused to redirect visitors to Neutrino exploit kit sites set up to serve malware.
WordPress websites are often compromised via brute force attacks that rely on the fact that many administrators set weak passwords for their accounts. In October, Sucuri discovered that attackers had been abusing the XML-RPC protocol to amplify brute force attacks against WordPress websites.