New Security Vulnerability in the Latest WordPress Release

WordPress 4.2, released last week, has a new zero-day security vulnerability. WordPress is now working on a patch but there is no ETA as yet.

More details from Sucuri here. The problem is:

“An attacker could leverage a bug in the way comments are stored in the site’s database to insert malicious scripts on your site, thus potentially allowing them to infect your visitors with malware, inject SEO spam or even insert backdoor in the site’s code if the code runs when in a logged-in administrator browser.”

In the meantime, if you use comments on your site you are at risk, unless you’re using Akismet which is already configured to block this attack.

Otherwise, they suggest that you disable comments on your site temporarily. To do this, login to the admin side and go to Settings > Discussion

• Uncheck the Allow people to post comments on new articles option
• Check the Automatically close comments on articles older than option and in the provided filed enter a ‘1’
• Click the Save Settings on the bottom of the page

Once the new WordPress patch is released you can undo these changes.

WP Minder clients, this has been done for you already.