Back
WordPress Security and Maintenance release

WordPress Security and Maintenance Release – 4.8.2

WordPress Security and Maintenance Release 4.8.2 is now available to download. Many websites were updated by automatic update service, but we strongly suggest you check out your websites whether they are updated or not. Also, we would like to recommend you to not disable automatic updates as it could be critical in event of disclosure of vulnerabilities. As always, we feel obligated to remind you to make a full site and database backups before updating your site software.

So, what issues were fixed in WordPress 4.8.2 release. There are nine issues related to WordPress security and six small bug-fixes.

WordPress Security issues fixed in WordPress 4.8.2 release

  1. $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Slavco
  2. A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery. Reported by xknown of the WordPress Security Team.
  3. A cross-site scripting (XSS) vulnerability was discovered in the visual editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security.
  4. A path traversal vulnerability was discovered in the file unzipping code. Reported by Alex Chapman (noxrnet).
  5. A cross-site scripting (XSS) vulnerability was discovered in the plugin editor. Reported by Chen Ruiqi.
  6. An open redirect was discovered on the user and term edit screens. Reported by Yasin Soliman (ysx).
  7. A path traversal vulnerability was discovered in the customizer. Reported by Weston Ruter of the WordPress Security Team
  8. A cross-site scripting (XSS) vulnerability was discovered in template names. Reported by Luka (sikic).
  9. A cross-site scripting (XSS) vulnerability was discovered in the link modal. Reported by Anas Roubi (qasuar).

Other issues fixed in WordPress 4.2.8 release

  1. Emoji component – upgrade Twemoji to 2.5.0.
  2. Emoji component – fix UN flag test by returning the correct value.
  3. I18N component – support numbers in locales during installation.
  4. Security improvement – add more sanitization in _cleanup_header_comment.
  5. Widgets component – new Text Widget recognizes HTML but does not render it in the front end.
  6. Widgets component – text widget can show DOMDocument::loadHTML() warnings in admin when is_legacy_widget method is called.

List of files revised in WordPress 4.2.8 release

  • wp-admin/about.php
  • wp-admin/edit-tag-form.php
  • wp-admin/includes/class-wp-plugins-list-table.php
  • wp-admin/includes/file.php
  • wp-admin/includes/template.php
  • wp-admin/install.php
  • wp-admin/js/widgets/text-widgets.js
  • wp-admin/js/widgets/text-widgets.min.js
  • wp-admin/plugin-editor.php
  • wp-admin/plugins.php
  • wp-admin/setup-config.php
  • wp-admin/theme-editor.php
  • wp-admin/user-edit.php
  • wp-includes/class-wp-customize-manager.php
  • wp-includes/embed.php
  • wp-includes/formatting.php
  • wp-includes/js/mce-view.js
  • wp-includes/js/mce-view.min.js
  • wp-includes/js/tinymce/plugins/wplink/plugin.js
  • wp-includes/js/tinymce/plugins/wplink/plugin.min.js
  • wp-includes/js/tinymce/wp-tinymce.js.gz
  • wp-includes/js/twemoji.js
  • wp-includes/js/twemoji.min.js
  • wp-includes/js/wp-emoji-loader.js
  • wp-includes/js/wp-emoji-loader.min.js
  • wp-includes/js/wp-emoji-release.min.js
  • wp-includes/js/wplink.js
  • wp-includes/js/wplink.min.js
  • wp-includes/script-loader.php
  • wp-includes/version.php
  • wp-includes/widgets/class-wp-widget-text.php
  • wp-includes/wp-db.php
Darius S.

Similar Posts

Social Warfare plugin vulnerabilities exploited

Social Warfare plugin under attack due to critical security vulnerabilities

Social Warfare plugin has more than 60,000 active installs, and now it suffers from the wave of attacks ignited by recently discovered two ...

Easy WP SMTP plugin vulnerability

Easy WP SMTP plugin vulnerability threatens 300k WordPress websites

Easy WP SMTP plugin gets a lot of attention these days due to zero-day (0-day) vulnerability disclosed recently. Why it gets so much ...

Coinhive closing

Coinhive closes – hackers will lose their favorite tool of exploitation

Coinhive development team published a blog post about the discontinuation of Coinhive system. Yes, the same Coinhive that we talked about ...

Leave a Reply

Your email address will not be published. Required fields are marked *