By Gary Nugent

WordPress 4.6.1

A new version of WordPress (4.6.1) was released recently to address an important security flaw.

WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin; and a path traversal vulnerability in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team.

Many security researchers with different levels of expertise participated in a joint bug hunting session that took aim at discovering security issues in WordPress and its most popular plugins.

The bug hunting camp yielded reports for over 120 security issues. Among the most impactful were issues in two WordPress plugins deployed on millions of sites: All in One SEO and WooCommerce.

Both are persistent XSS issues. Sahin is also the researcher who discovered the XSS issue affecting the WooCommerce plugin, which, just like the XSS bug fixed in the WordPress core, can be exploited via image metadata and lead to a full takeover of the affected website.

The other 15 bugs fixed in WordPress 4.6.1 are related to the underlying CMS codebase and are not considered security issues.

I strongly urge you to check all your WordPress websites and update to the latest version of WordPress: Version 4.6.1. Some sites will auto-update to the latest version of WP while others may update to earlier versions of WP. It depends on which version of WP you have on a site.

The best thing to do is manually check each of your sites and if they’re not already running V4.6.1, to manually upgrade to that version.

Who does this affect?

This affects all websites running WordPress 4.5 and earlier. (In other words, every version of WordPress except for the very latest version).

What version do I have?

You can check which version of WordPress you’re running by logging into your WordPress dashboard.

Your “at a glance” box will tell you your current version, and if you’re NOT running the latest version there will be a link at the top of your dashboard that will take you to the update page.

Do I need to backup my site?

I recommend that you back up your site prior to updating your version of WordPress as a safety measure.

Your webhost may have backed up your site as part of its hosting services but it’s always a good idea to back up your site yourself and download a copy to your PC for safekeeping.

At the very least, use a plugin to automatically back up your database. The WordPress front-end and theme can always be reinstalled, but if you lose your database, you’ve lost your site and all its content.

For more about backing up your own site, see:

Tagged with:

Filed under: WordPress Security