A new WordPress version released Thursday fixes two critical cross-site scripting (XSS) vulnerabilities that could allow attackers to compromise websites.
One of the flaws is located in the Genericons icon font package that is used by several popular themes and plug-ins, including the default TwentyFifteen WordPress theme.
Researchers from Web security firm Sucuri warned Wednesday that they’ve already seen attacks targeting this XSS vulnerability.
To exploit it, attackers need to trick users to click on specifically crafted links, but once they do that, they can leverage the flaw to steal authentication cookies. If the victim is a website’s administrator, they could gain full control over that website.
The vulnerability can be mitigated by removing the example.html file that is part of the Genericons package or by upgrading to the newly released WordPress 4.2.2.
“All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file,” the WordPress developers said in the release announcement.
Once installed, WordPress 4.2.2 scans the site’s directory for the vulnerable HTML file and removes all instances of it.
In addition, the new version patches a second critical cross-site scripting flaw which, according to the WordPress developers, could let anonymous users compromise a site. It also hardens defenses for a potential XSS issue in the visual editor.