A critical zero day fix for WordPress hosted websites is now released by Maintainers of WordPress and they recommend to update the sites immediately.
The flaw is a stored cross-site scripting (XSS) issue that can be leveraged via the comment section of a website running WordPress, by hiding malicious code that is executed on the server.
This issue was discovered by Jouko Pynnönen, from Finnish-based vulnerability research company Klikki Oy, and it is similar to a bug found and reported privately by Cedric Van Bockhaven, which was fixed in WordPress 4.1.2.
From WordPress news:
WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.
A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnönen.
You can refer the following video demonstrating the security flaw that has been made available from Klikki Oy:
How to update WordPress to 4.2.1??
WordPress 4.2.1 update is being rolled out as an automatic background update, for sites that support those.
– Download WordPress 4.2.1 and apply it manually
– Or move over to Dashboard → Updates on your website admin page and simply click “Update Now”.
Where to see the Release Notes and ChangeSet info??
For more information on this issue and things fixed, see the below links:
– release notes
– list of changes
Make some arrangement of upgrading your WordPress to version 4.2.1 and you should be make this as a priority task because the code for exploiting the vulnerability has been publicly available since Sunday.
Be sure to take backup of all your database, website data and other relevant stuffs before going for this update.