For the second time this week, WordPress has issued a critical security update for its content management system.
The upgrade, called WordPress 4.2.1, fixes a cross-site scripting vulnerability, and all WP users are advised to patch their software as soon as possible, it says on the WP website.
“WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately,” WordPress said on Monday.
“A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnönen.”
“WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.” Some hosting services offer automatic upgrades that should be underway soon, if not already.
The download and installation is free, and can be done either via the WordPress dashboard or by manual download.
WP launched WordPress 4.1.2 last Tuesday, called a "critical security release" and then on Thursday released the 4.2 version called Powell
“WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams, and Andrew Nacin of the WordPress security team.”
A number of plugins also released their own security fixes and WordPress urges its users to keep everything updated in order to stay secure.