WordPress.org has released a new version of its content management system – version 4.8.2. This latest version fixes nine issues of security. Five of these issues involved cross-site scripting (XSS) vulnerabilities.
The main issue was in $wpdb->prepare(). It was capable of creating unexpected and unsafe queries which would lead to an SQL injection.
The company noted that the WordPress core is not directly vulnerable, but this area was tightened up to prevent any accidents.
The issues from this vulnerability were found in OEmbed discovery, the visual editor, the plugin editor, template names, and in the link modal.
WordPress has recently found a malicious attacker had added a back door to one of its plugins. The plugin, Display Widgets, has possibly affected up to 200,000 websites since June.
Two path traversal vulnerabilities were found in the file unzipping code and in the customizer. An open redirect was also found and repaired.
These vulnerabilities have affected all versions of WordPress from 4.8.1 and earlier. The advice from the company is to upgrade immediately.