Vulnerabilities in WordPress themes and plug-ins affects millions of WordPress users
Two major vulnerabilities have been found in Wordpress that would allow an attacker to compromise your site. We recommend that all WordPress users urgently upgrade their installations to the latest version 4.22 which has been issued to patch these problems. You can do that by going over to 'Dashboard' => 'Updates' and simply click "Update Now".
The first vulnerabilty has been found in the JetPack plugin and in the Twenty Fifteen default theme that is added by default in many WordPress installations.
Sucuri explains that...
"Any WordPress Plugin or theme that leverages the genericons package is vulnerable to a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons. So far, the JetPack plugin (reported to have over 1 million active installs) and the TwentyFifteen theme (installed by default) are found to be vulnerable. The exact count is difficult to grasp, but both the plugin and theme are default installs in millions of WordPress installs. The main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package."
A second vulnerability has been discovered by WordPress which would enable a commenter to compromise a site. Again, this is patched in the latest version which we recommend you install now.
More information has been given by WordPress on their blog.
Our Content Management System (CMS) is a flexible and efficient way to manage your site...
Find out more