WordPress issues critical security release
WordPress users should update as soon as possible, as the latest release (4.1.2) plugs a critical cross-site scripting vulnerability that could allow anonymous users to compromise their site.
This security release also fixes two other less serious vulnerabilities, several plugins that were vulnerable to SQL injection, and includes hardening changes.
WordPress developer Gary Pendergast also mentioned the XSS flaws recently found in a number of popular WP plugins due to the insecure implementation of two functions often used by developers to modify and add query strings to URLs within WordPress.
“Keep everything updated to stay secure,” Pendergast urged. He advised plugin authors to check whether their plugin is affected by the same issue, and offered instructions on how to do it.
Sucuri Security listed the most popular plugins affected, and includes information about which ones have already been fixed.