This entry was posted in WordPress Security on September 19, 2017 by Mark Maunder 9 Replies

WordPress Core version 4.8.2 has just been released. This is a minor update and a security release which means that your sites will update automatically within the next 24 hours unless you have disabled auto updates.

The update includes a fix to $wpdb->prepare() to help protect against SQLi injection attacks. WordPress core is not vulnerable to SQLi injection attacks directly, but certain plugins and themes may be vulnerable depending on how they use the $wpdb->prepare() function in their code. This fix alone is reason to update immediately to 4.8.2.

The release fixes five cross site scripting vulnerabilities. These are in:

oEmbed discovery

The visual editor

The plugin editor

In template names

Two path traversal vulnerabilities were fixed. These are:

In the file unzipping code

In the customizer

An open redirect was also fixed on the user and term editing screens. 4.8.2 also includes 6 maintenance fixes.

Now that the existence of these vulnerabilities is public, it becomes much more likely that they will be exploited. It is very important that you update as soon as possible to 4.8.2.

To update manually now you can sign into your WordPress site, mouse over the Dashboard on the top left and click ‘Updates’ and complete the update process.

Please share this information with the rest of the community to ensure everyone updates in a timely fashion. Thanks.

Resources: