WordPress 4.1.4 and 4.2.1 Released with Security Fixes for 4.1.3 and 4.2

Update: WordPress 4.2.2 and WordPress 4.1.5 were released May 7. They contain important security fixes for a cross-site scripting (XSS) vulnerability, reported by Robert Abela of Netsparker. The vulnerability affects  a number of popular themes and plugins, including the WordPress default theme Twenty Fifteen.


Update April 28: WordPress 4.2.1 and 4.1.4 are available now. Both updates contain important security fixes for WordPress 4.2 and WordPress 4.1.3 respectivly and we recommend you update your WordPress installation and plugins as soon as possible!

Updating WordPress and Plugins

As with all minor releases, your website will be updated automatically, if you have not disabled automatic updates.

For 1&1 customers:

  • Safe Mode: Customers using 1&1 Click & Build Safe Mode will be updated automatically (rollout is already in progress).
  • Free Mode and self maintained installations:
    • If you have automatic updates enabled for your site, it will be updated to WordPress 4.1.4 or WordPress 4.2.1 automatically.
    • If you have automatic updates disabled: Please update manually as soon as possible. Download

About the cross-site scripting vulnerability

Current WordPress versions are vulnerable to cross-site scripting attacks exploiting a vulnerability in the comments function to run JavaScript there. An attacker can gain full admin access to a WordPress website and run malicious code on the server.

This vulnerability was fixed in WordPress 4.2.1 and WordPress 4.1.4.

Details

To exploit the vulnerability, the attacker creates a specific comment exceeding the MySQL TEXT type size limit of 64 kilobytes per comment. This comment is then truncated by the system which leads to malformed HTML code.

1&1 customers were protected against this vulnerability

On April 27, 2015, our security team had already taken action and automatically blocked potential attacks, protecting all WordPress websites hosted with 1&1 Web Hosting (shared & managed).

General recommendations (obsolete: please update your website instead)

The following applies to everyone managing a WordPress website: This is how you can protect your website against attacks.

Recognizing attacks

Attacks are carried out through very long comments.

Example:

<a title='x onmouseover=alert(unescape(/hello%20world/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px AAAAAAAAAAAA...[64 kb]..AAA'></a>

The character A is repeated in the example comment a multiple-thousand times to reach the size limit. The attacker can adjust the character string flexibly.

Source: Klikki Blog

Preventing attacks

Adjust the comment settings as follows: Select restrictive comment settings and moderate cautiously.

Deactivate the comment function for new posts:

  • In the WordPress admin area, select Settings > Discussion
  • Under Default article settings, deactivate the option Allow people to post comments on new articles.

Configure your comments restrictively:

  • In the WordPress admin area, select Settings > Discussion
  • Under Before a comment appears, deactivate the option Comment author must have a previously approved comment.
  • Under Before a comment appears, activate the option Comment must be manually approved.

comments-restrictive-en-us

Disable comments for new articles / Comments must be manually approved

 


Timeline

In the past weeks multiple critical security updates for WordPress were released. The most recent WordPress update contains all fixes that were part of these previous updates.

April 24, 2015: WordPress 4.2 was just released, featuring all security fixes from 4.1.2. The WordPress team also released the WordPress 4.1.3 maintenance update, which fixes broken database writes for exotic character sets, an issue introduced in WordPress 4.1.2.

April 22, 2015: WordPress 4.1.2 was released a few hours ago with a focus on fixing a critical cross-site scripting vulnerability. This vulnerability affects WordPress Versions 4.1.1 and lower and might allow anonymous users to compromise a website.

Learn more about all security fixes in WordPress 4.1.2 on the WordPress Blog.

Unclear documentation in the WordPress Codex resultet in a misuse of the add_query_arg() and remove_query_arg() functions, making multiple popular WordPress Plugins vulnerable to cross-site scripting (XSS).

Some of the affected plugins:

  • Jetpack
  • WordPress SEO
  • Google Analytics by Yoast
  • All In one SEO
  • Gravity Forms
  • Broken-Link-Checker
  • WP-E-Commerce

These plugins have been patched in the meantime. Source: Sucuri Blog

You might also like:

Please rate this post :

2 thoughts on “WordPress 4.1.4 and 4.2.1 Released with Security Fixes for 4.1.3 and 4.2

  1. Cornish says:

    When will the update be rolled out? I even created the WordPress web site after the release date and my web site is still running 4.1.4.

    1. Philipp Bellmann says:

      Hey Cornish, we focused on 4.1.4 for Safe Mode last week and are now preparing the WordPress 4.2.1 rollout for Safe Mode installs.
      If you want to update right now, you can switch to Free Mode at any time and then update WordPress yourself.

      Please have a look at our tutorial: Switching to Free Mode

      Best,
      Phil

Leave a Reply

Your email address will not be published. Required fields are marked *