It is time for another important security update.
WordPress 4.2.4 was just released, including several important security fixes for all previous WordPress Versions. We recommend you update your websites immediately.
- WordPress websites with automatic updates enabled and WordPress websites in 1&1 Safe Mode will receive the update shortly.
- If you have automatic updates disabled, we recommend you update from your WordPress dashboard now.
From the WordPress Blog
WordPress 4.2.4 fixes three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site (CVE-2015-2213).
It also includes a fix for a potential timing side-channel attack and prevents an attacker from locking a post from being edited.
In addition to the security fixes, WordPress 4.2.4 contains fixes for 4 bugs from 4.2.3, including:
- FIX – WPDB: When checking the encoding of strings against the database, make sure we’re only relying on the return value of strings that were sent to the database. #32279
- FIX – Don’t blindly trust the output of glob() to be an array. #33093
- FIX – Shortcodes: Handle do_shortcode('<[shortcode]') edge cases. #33116
- FIX – Shortcodes: Protect newlines inside of CDATA. #33106
Source: WordPress Blog