WordPress has patched a cross-site scripting vulnerability affecting millions of websites.
Security firm Sucuri first spotted the security flaw midweek, pinpointing the TwentyFifteen theme and JetPack plugin at the heart of the problem.
“Any WordPress Plugin or theme that leverages the genericons package is vulnerable to a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons,” explains Securi’s blog.
“The main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package.”
If exploited, it could allow hackers to seize total control of a site.
WordPress has now released a fix, and is encouraging its users to update to WordPress version 4.2.2 immediately.
“Any WordPress plugin or theme that includes this file is open to an attack,” the company wrote on its VaultPress blog. “We encourage everyone to head over to Dashboard → Updates in their WordPress dashboard, and click ‘Update Now’.
“Otherwise, you can download WordPress 4.2.2 directly. Once you’re running WordPress 4.2.2, you’re protected from these vulnerabilities.”
Related: How to stay safe online
It’s unclear how many users have been affected by the problem, though Sucuri says both TwentyFifteen and JetPack came pre-installed on millions of accounts.