large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

Blogging safe again after WordPress scare

WordPress has patched a cross-site scripting vulnerability affecting millions of websites.

Security firm Sucuri first spotted the security flaw midweek, pinpointing the TwentyFifteen theme and JetPack plugin at the heart of the problem.

“Any WordPress Plugin or theme that leverages the genericons package is vulnerable to a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons,” explains Securi’s blog.

“The main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package.”

If exploited, it could allow hackers to seize total control of a site.

WordPress has now released a fix, and is encouraging its users to update to WordPress version 4.2.2 immediately.

“Any WordPress plugin or theme that includes this file is open to an attack,” the company wrote on its VaultPress blog. “We encourage everyone to head over to Dashboard → Updates in their WordPress dashboard, and click ‘Update Now’.

“Otherwise, you can download WordPress 4.2.2 directly. Once you’re running WordPress 4.2.2, you’re protected from these vulnerabilities.”

Related: How to stay safe online

It’s unclear how many users have been affected by the problem, though Sucuri says both TwentyFifteen and JetPack came pre-installed on millions of accounts.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have 9 million users a month around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.