The developers of the WordPress content management system (CMS) today announced the release of version 4.2.4. This security release addresses six vulnerabilities and four bugs.
According to the release notes, WordPress 4.2.4 patches three cross-site scripting (XSS) flaws and a SQL injection vulnerability that can be exploited to compromise websites. The latest version also protects users against a potential timing side-channel attack, and prevents attackers from locking posts from being edited.
Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point, Ivan Grigorov, Johannes Schmitt of Scrutinizer, and Mohamed A. Baset have been credited for reporting these vulnerabilities.
WordPress has noted that these fixes are also included in WordPress 4.3 RC2.
Check Point has published a brief advisory for the SQL injection vulnerability (CVE-2015-2213) patched in the latest version of WordPress. According to the security firm, this is a critical flaw affecting WordPress 4.2.3 and prior.
“An SQL injection vulnerability has been reported in WordPress Comments. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system,” reads the advisory from Check Point.
WordPress 4.2.4 comes less than two weeks after the release of version 4.2.3, a security and maintenance release that patched two security issues and 20 bugs.