The developers of the WordPress content management system (CMS) today announced the release of version 4.2.4. This security release addresses six vulnerabilities and four bugs.
According to the release notes, WordPress 4.2.4 patches three cross-site scripting (XSS) flaws and a SQL injection vulnerability that can be exploited to compromise websites. The latest version also protects users against a potential timing side-channel attack, and prevents attackers from locking posts from being edited.
Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point, Ivan Grigorov, Johannes Schmitt of Scrutinizer, and Mohamed A. Baset have been credited for reporting these vulnerabilities.
WordPress has noted that these fixes are also included in WordPress 4.3 RC2.
Check Point has published a brief advisory for the SQL injection vulnerability (CVE-2015-2213) patched in the latest version of WordPress. According to the security firm, this is a critical flaw affecting WordPress 4.2.3 and prior.
“An SQL injection vulnerability has been reported in WordPress Comments. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system,” reads the advisory from Check Point.
WordPress 4.2.4 comes less than two weeks after the release of version 4.2.3, a security and maintenance release that patched two security issues and 20 bugs.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
