{"id":3628,"date":"2015-04-21T13:44:58","date_gmt":"2015-04-21T13:44:58","guid":{"rendered":"http:\/\/wordpress.org\/news\/?p=3628"},"modified":"2021-06-04T12:01:01","modified_gmt":"2021-06-04T12:01:01","slug":"wordpress-4-1-2","status":"publish","type":"post","link":"https:\/\/wordpress.org\/news\/2015\/04\/wordpress-4-1-2\/","title":{"rendered":"WordPress 4.1.2 Security Release"},"content":{"rendered":"<p>WordPress 4.1.2 is now available. This is a <strong>critical security release<\/strong> for all previous versions and we strongly encourage you to update your sites immediately.<\/p>\n<p>WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by <a href=\"https:\/\/cedricvb.be\">Cedric Van Bockhaven<\/a>\u00a0and\u00a0fixed by <a href=\"http:\/\/pento.net\/\">Gary Pendergast<\/a>, <a href=\"http:\/\/blogwaffe.com\/\">Mike Adams<\/a>, and <a href=\"http:\/\/nacin.com\/\">Andrew Nacin<\/a> of the WordPress security team.<\/p>\n<p>We also fixed three other security issues:<\/p>\n<ul>\n<li>In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by <a href=\"http:\/\/HSASec.de\">Michael Kapfer and Sebastian Kraemer of HSASec<\/a>.<\/li>\n<li>In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by <a href=\"http:\/\/zoczus.blogspot.com\/\">Jakub Zoczek<\/a>.<\/li>\n<li>Some plugins were\u00a0vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.<\/li>\n<\/ul>\n<p>We also made four\u00a0hardening changes, discovered by\u00a0<a href=\"http:\/\/codesymphony.co\/\">J.D. Grimes<\/a>, Divyesh Prajapati, <a href=\"http:\/\/www.allancollins.net\/\">Allan Collins<\/a>, <a href=\"https:\/\/sucuri.net\/\">Marc-Alexandre Montpas<\/a> and <a href=\"https:\/\/profiles.wordpress.org\/jblz\/\">Jeff Bowen<\/a>.<\/p>\n<p>We appreciated the <a href=\"https:\/\/make.wordpress.org\/core\/handbook\/reporting-security-vulnerabilities\/\">responsible disclosure<\/a> of these issues directly to our security team. For more information, see the <a href=\"https:\/\/codex.wordpress.org\/Version_4.1.2\">release notes<\/a> or consult the <a href=\"https:\/\/core.trac.wordpress.org\/log\/branches\/4.1?rev=32234&amp;stop_rev=32144\">list of changes<\/a>.<\/p>\n<p><a href=\"https:\/\/wordpress.org\/download\/\">Download WordPress 4.1.2<\/a> or venture over to <strong>Dashboard \u2192 Updates<\/strong> and simply click &#8220;Update Now.&#8221; Sites that support automatic background updates are already beginning to update to WordPress 4.1.2.<\/p>\n<p>Thanks to everyone who contributed to 4.1.2: <a href=\"https:\/\/profiles.wordpress.org\/collinsinternet\/\">Allan Collins<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/xknown\/\">Alex Concha<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/nacin\/\">Andrew Nacin<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/azaozz\/\">Andrew Ozz<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/vortfu\/\">Ben Bidner<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/boonbgorges\/\">Boone Gorges<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/dd32\/\">Dion Hulse<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/ocean90\/\">Dominik Schilling<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/DrewAPicture\/\">Drew Jaynes<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/pento\/\">Gary Pendergast<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/helen\/\">Helen Hou-Sand\u00ed<\/a>, <a href=\"https:\/\/profiles.wordpress.org\/johnbillion\/\">John Blackbourn<\/a>, and <a href=\"https:\/\/profiles.wordpress.org\/mdawaffe\/\">Mike Adams<\/a>.<\/p>\n<p>A number of plugins also released security fixes yesterday. Keep everything updated to stay secure.\u00a0If you\u2019re a plugin author, please read <a href=\"https:\/\/make.wordpress.org\/plugins\/2015\/04\/20\/fixing-add_query_arg-and-remove_query_arg-usage\/\">this post<\/a> to confirm that your plugin is not affected by the same issue. Thank you to all of the plugin authors who worked closely with our security team to ensure a coordinated response.<\/p>\n<p><em>Already testing WordPress 4.2? The third release candidate is now available (<a href=\"https:\/\/wordpress.org\/wordpress-4.2-RC3.zip\">zip<\/a>) and it contains these fixes. For more on 4.2, see <a href=\"https:\/\/wordpress.org\/news\/2015\/04\/wordpress-4-2-release-candidate\/\">the RC\u00a01 announcement post<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>WordPress 4.1.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Cedric Van Bockhaven\u00a0and\u00a0fixed by [&hellip;]<\/p>\n","protected":false},"author":2004385,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"episode_type":"","audio_file":"","cover_image":"","cover_image_id":"","duration":"","filesize":"","date_recorded":"","explicit":"","block":"","filesize_raw":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[14,15],"tags":[163],"class_list":["post-3628","post","type-post","status-publish","format-standard","hentry","category-releases","category-security","tag-4-1"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pZhYe-Ww","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts\/3628","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/users\/2004385"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/comments?post=3628"}],"version-history":[{"count":10,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts\/3628\/revisions"}],"predecessor-version":[{"id":3671,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts\/3628\/revisions\/3671"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/media?parent=3628"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/categories?post=3628"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/tags?post=3628"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}