Last week, WordPress announced the release of an update to address security and maintenance issues. The publishing platform urged users to update their systems immediately, protecting them from a cross-site scripting (XSS) vulnerability.
Aaron Jorbin, a WordPress contributor who published news of the update’s release on the company’s official blog, warned that WordPress versions 4.4 and earlier could allow sites to be compromised due to the cross-site scripting vulnerability. The loophole was discovered and reported by Crtc4L.
The bug allows remote attackers to gain access and compromise sites. Hackers are able to pass malicious content between sites through the cross-site scripting vulnerability. The kind of code injection bypasses the same-origin policy, which is an important concept in web security applications. Wikipedia says under the policy, “a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.”
The vulnerability was spotted by Crtc4L, who is an independent security researcher based in the Philippines. They were awarded a bounty through HackerOne for their discovery.
In addition, the update also contains several bug fixes unrelated to security. Among them are support for all the new emoji characters lately added to the emoji collection, including the diverse hand gestures and faces. Fans of emojis on iOS will rejoice at the long-awaited news.
WordPress 4.4.1 fixes 52 bugs from the last version. Fixes to solutions included: “Some sites with older versions of OpenSSL installed were unable to communicate with other services provided through some plugins,” and “if a post URL was ever re-used, the site could redirect to the wrong post.”
Automatic updates are being rolled out to sites that support automatic background updates. To download manually, you can either head over to Dashboard > Updates in WordPress and click on the “Update Now” button, or download WordPress 4.4.1 from WordPress directly.