WordPress 4.4.2 Security and Maintenance Release

WordPress 4.4.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.4.1 and earlier are affected by two security issues: a possible SSRF for certain local URIs, reported by Ronni Skansing; and an open redirection attack, reported by Shailesh Suthar.

Thank you to both reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.4.2 fixes 17 bugs from 4.4 and 4.4.1. For more information, see the release notes or consult the list of changes.

Download WordPress 4.4.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.4.2.

Thanks to everyone who contributed to 4.4.2:

Andrea Ferciaberengerzyla, Boone Gorges, Chandra Patel, Chris Christoff, Dion Hulse, Dominik Schilling, firebird75, Ivan Kristianto, Jennifer M. Dodd, salvoaranzulla

WordPress 4.3.1 Security and Maintenance Release

WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

This release addresses three issues, including two cross-site scripting vulnerabilities and a potential privilege escalation.

  • WordPress versions 4.3 and earlier are vulnerable to a cross-site scripting vulnerability when processing shortcode tags (CVE-2015-5714). Reported by Shahar Tal and Netanel Rubin of Check Point.
  • A separate cross-site scripting vulnerability was found in the user list table. Reported by Ben Bidner of the WordPress security team.
  • Finally, in certain cases, users without proper permissions could publish private posts and make them sticky (CVE-2015-5715). Reported by Shahar Tal and Netanel Rubin of Check Point.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.3.1 also fixes twenty-six bugs. For more information, see the release notes or consult the list of changes.

Download WordPress 4.3.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.3.1.

Thanks to everyone who contributed to 4.3.1:

Adam Silverstein, Andrea FerciaAndrew Ozz, Boone Gorges, Brandon Kraft, chriscct7, Daisuke Takahashi, Dion Hulse, Dominik Schilling, Drew Jaynes, dustinbolton, Gary Pendergast, hauvong, James Huff, Jeremy Felt, jobst, Marin Atanasov, Nick Halsey, nikeo, Nikolay Bachiyski, Pascal Birchler, Paul Ryan, Peter Wilson, Robert Chapin, Samuel Wood, Scott Taylor, Sergey Biryukov, tmatsuur, Tracy Levesque, Umesh Nevase, vortfu, welcher, Weston Ruter

WordPress 4.2.4 Security and Maintenance Release

WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.4 also fixes four bugs. For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.4 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.4.

Already testing WordPress 4.3? The second release candidate is now available (zip) and it contains these fixes. For more on 4.3, see the RC 1 announcement post.

WordPress 4.2.2 Security and Maintenance Release

WordPress 4.2.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

Version 4.2.2 addresses two security issues:

  • The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.
  • WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue.

The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor. This issue was reported by Mahadev Subedi.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.2 also contains fixes for 13 bugs from 4.2. For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.2.

Thanks to everyone who contributed to 4.2.2:

Aaron Jorbin, Andrew Ozz, Andrew Nacin, Boone Gorges, Dion Hulse, Ella Iseulde Van Dorpe, Gary Pendergast, Hinaloe, Jeremy Felt, John James Jacoby, Konstantin Kovshenin, Mike Adams, Nikolay Bachiyski, taka2, and willstedt.

Improvements to WordPress.org

If you visit WordPress.org regularly you might have noticed some changes around the place. If you don’t, now’s the time to check them out! We’ve been working hard to improve the site to make it more useful to everyone, both developers and users, and we hope you like what we’ve done.

New Theme and Plugin Directories

Since WordPress 3.8, you’ve been enjoying improved theme management in your WordPress admin, and in WordPress 4.0 plugin management was refined. We’ve brought these experiences from your admin and re-created them right here on WordPress.org.

Theme Directory

The Theme Directory has a better browsing experience, with handy tabs where you can view featured, popular, and the latest themes. As with the theme experience in your admin, you can use the feature filter to browse for just the right theme for your WordPress website.

theme-directory

Click on a theme to get more information about it, including shiny screenshots, ratings, and statistics.

theme-directory-individual

Konstantin Obenland posted a good overview of everything involved with the theme directory overhaul and followed up with a post on improved statistics.

Plugin Directory

The Plugin Directory has a brand new theme that mirrors the experience in your WordPress admin, with a more visual experience, and better search and statistics.

plugin-directory

As well as a facelift, there are some great new features for you to play around with:

  • Favorites – when you’re logged in to you WordPress.org account, this page gives you direct access to the plugins that you have favorited.
  • Beta Testing – try out plugins where developers are experimenting with new features for WordPress.
  • Search by plugin author – you can search for a plugin author using their username.
  • Better statistics – listings now display the number of active installs so you can see how many people are actually using a plugin.

An overview of the new theme was posted by Scott Reilly.

Better Statistics

We’ve made huge improvements to our statistics. This gives us more useful information about the WordPress versions people are using, their PHP version, and their MySQL version.

Already these new statistics have provided us with useful insights into WordPress usage.

  • More than 43% of all sites are running the latest version of WordPress. Previously, we thought only 10% of sites were up-to-date. By excluding sites that are no longer online we were able to improve these statistics.
  • We were able to clear up the data around WordPress 3.0, bringing it more in line with expectations. This anomaly was a by-product of spammers.
  • Only 15.9% of sites are using PHP 5.2, which is better than we thought.

Over the coming months we’ll be able to use these statistics to bring you new tools and improvements, and to make more informed decisions across the board. Read Andrew Nacin’s post about these changes for more background.

Thanks!

Thanks to everyone who contributed to the theme directory redesign, the plugin directory refresh, and improved statistics: Alin MarcuDamon Cook, Dion Hulse, Dominik Schilling, Jan Cavan Boulas, Konstantin Obenland, Kyle Maurer, Matías Ventura, Mel Choyce, Natalie MacLees, Paul de Wouters, Samuel Sidler, Samuel Wood (Otto), Scott Reilly, Siobhan McKeown.

If you want to help out or follow along with future WordPress.org projects, check out Make WordPress and our meta development blog.