Attention all WordPress users: I recommend that right now is a great time to setup the wordpress update.
WordPress the content management system rolled out an wordpress update this Thursday that was used to address a major security flaw that affected millions of websites. Sucuri, the security researchers were the first to find this vulnerability, that leaves affected websites susceptible to an attack that could allow others to take control of the sites.
The error all comes from a bad file within Genericons, by default this is preloaded into many WordPress sites, including the default TwentyFifteen theme and the JetPack plugin, according to the researchers. The technology behind this leaves the affected websites open to a cross-site scripting (XSS) vulnerability, which could potentially allow attackers/hackers a way to gain control of a website.
A quote from WordPress: “Any WordPress plugin or theme that includes this file is open to an attack,” “Any WordPress plugin or theme that includes this file is open to an attack,” written in a post on its VaultPress blog addressing the issue.
The Sucuri researchers note that though the flaw is far-reaching, it would be a “bit harder to exploit” compared with other flaws, though the effects of an attack can be severe. For its part, WordPress says its latest patch removed the problematic files from its themes and plugins.
“Between the update and the very simple action that web hosts can take to protect we estimate that there are not too many vulnerable sites in the wild,” a WordPress spokesperson said, adding that “staying up to date on the latest and greatest version of WordPress is the single best thing you can do to stay secure.”
Users can get the WordPress update from the updates menu in their main dashboard. The patch has already started rolling out to those with automatic updates enabled.