Today saw the release of the new WordPress 4.2.4 update, addressing critical security issues that can be potentially damaging to many WordPress sites. The critical cross-site scripting vulnerabilities which was first reported by Marc-Alexandre Montpas (part of the Sucuri team), Helen Hou-Sandi (of WordPress Security), Netanel Rubin (of CheckPoint) and Ivan Grigorov, had the potential to allow anonymous users to compromise a site.
The full details of this vulnerability can be found on the WordPress website here, where they also addressed an issue which also prevents an attacker from locking a post from being edited. Release notes for the 20+ bug fixes included in WordPress 4.2.3 can be found here.
What Should Pressidium Customers Do?
Absolutely nothing. Due to this being a critical release, our engineers are already putting the update package for WordPress 4.2.4 together, ready to push to the servers as soon as possible. As you know, because you're a valued Pressidium customer, you'll benefit from us doing the work behind the scenes, without you having to lift a finger.
At Pressidium, as part of our management services, we are responsible for updating our customer's WordPress core to the latest possible stable release. As you may already know, it is absolutely essential to maintain an as much as possible up-to-date version of your WordPress core version to address vulnerabilities and new security issues that may arise.
We update your WordPress core on the following schedule :
- Security releases (or minor releases, like this current release) are applied automatically within 24 hours of official release without notifying you. These kind of updates are often emergency security fixes and they typically don't update or add any functionallity to your site - so the risk of braking things on your site is rather minimal.
- Major releases (such as 4.1 and 4.2) are applied automatically, roughly two weeks after their official release. Major releases add and often update existing functionality, so it is possible (not often but the possibility is there) to brake your site, or to make your plugins missbehave, or to break the layout of your template. For this reason, we are giving our customers this "two week grace period" so they can test their sites with ease in the staging environment.
For further information regarding how we approach and tackle the matter of core WordPress updates, please read this in-depth article on the subject.