It’s time to update your self-hosted versions of WordPress again.
WordPress 4.2.4, released on Tuesday, fixes four bugs and several security issues:
- Three cross-site scripting vulnerabilities
- An SQL injection injection bug (CVE-2015-2213) that can result in a remote attacker executing arbitrary SQL commands on the affected system and to ultimately compromise a website running on the popular CMS
- A bug that could allow attackers to mount a timing side-channel attack
- A bug that can allow attackers to prevent a post from being edited (ever).
Even though there is no mention of any of the bugs being currently exploited in the wild, the developers are urging users to update immediately.
Users can do so manually (Dashboard -> Updates -> click “Update Now”) or can (finally) decide to turn on automatic background updating.