WordPress has just released the latest stable version WordPress 4.2.1. You are recommended to update this version immediately to protect your site from a flaw that could allow remote code execution to gain administrative control without authorisation.
We are announcing a security update to both our themes and plugins due to WordPress 4.1.1 (and earlier) XSS vulnerability. Strongly encourage you to update to WordPress 4.1.2 immediately. There are probably a few of other plugins you use are affected too.
WordPress 4.1.2 Security Release
WordPress version 4.1.1 and earlier are affected by a critical cross-site scripting (XSS) vulnerability due to the misuse of the add_query_arg() and remove_query_arg() functions which could enable anonymous users to compromise a site. The WordPress 4.1.2 update also fixes three other security issues as announced by WordPress security team.
This XSS Vulnerability also affects multiple wordpress plugins. We highly recommend you go to your wp-admin dashboard and update any out of date plugins now. Here is the list of affected wordpress plugins noticed by security firm Sucuri (chances are a few more not yet being listed):
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Mutiple Plugins from Easy Digital Downloads
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Multiple iThemes products including Builder and Exchange
- Ninja Forms
For DesignWall users: How to apply this update
We did carefully audit all our themes and plugins and get those affected by this XSS bug fixed, including:
- DW Trendy — 1.1.6
- DW Jason — 1.0.4
- WallPress — 1.1.8
- DW Wall — 1.1.3
- DW Kido — 1.0.2
- DW Argo — 1.0.9
- DW Fixel — 1.0.9
- DW Page — 1.0.7
- DW Question & Answer — 1.3.3
In case you are using one of our themes, plugins mentioned above, please get yours updated following this regular update steps. As mentioned above, you should keep all your sites updated not just our theme and plugin to stay secure.
If you’re interested in the how and why, please read this post to have more detailed explanation. Thank you all the WordPress security team, Yoost de Valk, Sucuri team for helping us safe and ahead of the threats.
If you have any difficulty when updating our themes and plugins, please submit your question here, our team will be happy to help you out.