WordPress Update 4.4.1 Released

Last week, Word­Press announced the release of an update to address secu­ri­ty and main­te­nance issues. The pub­lish­ing plat­form urged users to update their sys­tems imme­di­ate­ly, pro­tect­ing them from a cross-site script­ing (XSS) vul­ner­a­bil­i­ty.

Aaron  Jorbin, a Word­Press con­trib­u­tor who pub­lished news of the update’s release on the com­pa­ny’s offi­cial blog, warned that Word­Press ver­sions 4.4 and ear­li­er could allow sites to be com­pro­mised due to the cross-site script­ing vul­ner­a­bil­i­ty.  The loop­hole was dis­cov­ered and report­ed by Crtc4L.

The bug allows remote attack­ers to gain access and com­pro­mise sites. Hack­ers are able to pass mali­cious con­tent between sites through the cross-site script­ing vul­ner­a­bil­i­ty. The kind of code injec­tion bypass­es the same-ori­gin pol­i­cy, which is an impor­tant con­cept in web secu­ri­ty appli­ca­tions. Wikipedia says under the pol­i­cy, “a web brows­er per­mits scripts con­tained in a first web page to access data in a sec­ond web page, but only if both web pages have the same ori­gin.” 

The vul­ner­a­bil­i­ty was spot­ted by Crtc4L, who is an inde­pen­dent secu­ri­ty researcher based in the Philip­pines. They were award­ed a boun­ty through HackerOne for their dis­cov­ery.

In addi­tion, the update also con­tains sev­er­al bug fix­es unre­lat­ed to secu­ri­ty. Among them are sup­port for all the new emo­ji char­ac­ters late­ly added to the emo­ji col­lec­tion, includ­ing the diverse hand ges­tures and faces. Fans of emo­jis on iOS will rejoice at the long-await­ed news.

Word­Press 4.4.1 fix­es 52 bugs from the last ver­sion. Fix­es to solu­tions includ­ed: “Some sites with old­er ver­sions of OpenSSL installed were unable to com­mu­ni­cate with oth­er ser­vices pro­vid­ed through some plu­g­ins,” and “if a post URL was ever re-used, the site could redi­rect to the wrong post.”

Auto­mat­ic updates are being rolled out to sites that sup­port auto­mat­ic back­ground updates. To down­load man­u­al­ly, you can either head over to Dash­board > Updates in Word­Press and click on the “Update Now” but­ton, or down­load Word­Press 4.4.1 from Word­Press direct­ly.