WordPress Finally Patches Critical XSS Vulnerability

WordPress, which has been under criticism for long for its widespread vulnerabilities, has finally released a new security update, version 4.2.3 for the general public.

The most-important addition it brings to the table is the fix for the cross-site scripting (XSS) vulnerability, which was pointed out by a user privately, which potentially saved countless people from attack.

XSS is a form of attack where malicious code is added to a genuine website, with the intent of gaining private info of a visitor. It ranks as one of the biggest vulnerabilities found on the internet, with White Hat reporting that 66 percent of websites have at least one potential susceptible point.

In the previous versions of WordPress, one compromised user-account with Contributor or Author roles could compromise the whole site. Fortunately, this won’t happen from now on.

WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was initially reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team, and later reported by Jouko Pynnönen.

We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.

Apart from that, the new update brings 20 bug fixes from version 4.2. This includes the bug which allowed users with Subscriber permissions to create a draft using Quick Draft.

Sites with automatic background are already being updated to the newer version. You can also get the update by going to wordpress.org/download or by choosing ‘Update Now’ under Updates in Dashboard. If you too want to remain protected from all these security flaws, your best bet will be updating as quickly as possible.


  • great fix!

  • Sounds Great!
    But i think there might be some issue, I have tried automatically and manual update method as well, but after giving success message it again show me it is 4.2.2, happening to all of my 4.2.2 WordPress Sites :-(

    Did anyone got a fix here?