WordPress 4.2.2 and 4.1.5 Security Updates Close Critical Cross-Site Scripting (XSS) vulnerability

security-vi2-cropWordPress 4.2.2 and WordPress 4.1.5 were released May 7. They contain important security fixes for a cross-site scripting (XSS) vulnerability, reported by Robert Abela of Netsparker. The vulnerability affects  a number of popular themes and plugins, including the WordPress default theme Twenty Fifteen.

4.2.2 also hardens an existing fix for a vulnerability in the Visual editor found in WordPress 4.2 and lower. Please update your websites immediately. More info: WordPress Blog.

Updating your website to WordPress 4.2.2

Automatic updates have already begun for all websites with this feature enabled. If you update manually, please do so from your WordPress Dashboard or download WordPress 4.2.2 as soon as possible.

If you are still using WordPress 4.1.4 and do not want to update to 4.2.2, you can update to WordPress 4.1.5, which also contains the latest security updates.

For 1&1 customers:

  • Safe Mode: Customers using 1&1 Click & Build Safe Mode will be updated automatically.
  • Free Mode and self maintained installations:
    • If you have automatic updates enabled for your site, it will be updated to WordPress 4.2.2 / 4.1.5 automatically.
    • If you have automatic updates disabled: Please update manually as soon as possible. Download WordPress 4.2.2

As always, please also update your plugins and themes to the latest versions as well.

4.2.2 security updates and bug fixes

From the WordPress Blog:

  • The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file.
    To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it.
    Reported by Robert Abela of Netsparker.
  • WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue.

WordPress 4.2.2 also fixes some smaller bugs that were introduced in 4.2.1. Please have a look at the official 4.2.2 Release Notes for the full list of improvements. If you want the technical view, consult the 4.2.2 Change Log.

Some of the fixes found in 4.2.2:

  • Fixes an emoji loading error in IE9 and IE10
  • Fixes a keyboard shortcut for saving from the Visual editor on Mac
  • Fixes oEmbed for YouTube URLs to always expect https
  • Fixes how WordPress checks for encoding when sending strings to MySQL
  • Lowers memory usage for a regex checking for UTF-8 encoding
  • Fixes an issue with trying change the wrong index in the wp_signups table on utf8mb4 conversion

 You might also be interested in

Please rate this post :

4 thoughts on “WordPress 4.2.2 and 4.1.5 Security Updates Close Critical Cross-Site Scripting (XSS) vulnerability

  1. Mike M says:


    All 4 of my Safe Mode WordPress Apps are still on 4.1.4. When will they be automatically updated?

    1. 1and1help says:

      Hi Mike,

      we are rolling out 4.2.2 to our shared servers at the moment. The rollout will be finished in the next few days for all safe mode users.

      Michael, 1&1

  2. I’m running WordPress in Safe mode. Yesterday it was updated to 4.1.4. Why isn’t it updating to 4.2.1

    1. 1and1help says:

      Hi Charlotte,
      thanks for asking.

      In the meantime the WordPress developers released another security update (4.2.2). We decided to jump directly to this new version. It is rolling out to all of the safe mode applications at the moment. So your application will be updated very soon. 🙂

      Michael, 1&1

Leave a Reply

Your email address will not be published. Required fields are marked *