Genericons XSS Vulnerability & WordPress 4.2.2

A XSS vulnerability has been found in Genericons. To explain further, Genericons includes a file called example.html which has been found to be vulnerable to attack from the Document Object Model level. Any WordPress plugin or theme that includes this file is open to an attack. To help combat this, we have done the following for VaultPress users:

1) We’ve deleted the file everywhere we can to proactively secure your site.

2) We’ve added it to our security scanner so that if there are any cases where we couldn’t detect the file or couldn’t delete it, you will still be notified if the file exists on your site. 

3) For users with sites where we couldn’t remove the file, we have personally emailed each of you with steps to remove the file and details about where the file is located.

Also, another important security update was released today for WordPress in Version 4.2.2. Version 4.2.2 fixes several vulnerabilities that could allow users to compromise your site including the Genericons vulnerability.

We encourage everyone to head over to Dashboard → Updates in their WordPress dashboard, and click “Update Now”. Otherwise, you can download WordPress 4.2.2 directly. Once you’re running WordPress 4.2.2, you’re protected from these vulnerabilities.

As always, drop us a line if you have any questions!

This entry was posted in Security. Bookmark the permalink.

7 Responses to Genericons XSS Vulnerability & WordPress 4.2.2

  1. Pingback: Genericons XSS Vulnerability & WordPress 4.2.2 | The WordPress C(h)ronicle

  2. rlburg says:

    Thank you!

  3. Pingback: WordPress rolls out update to fix security flaw affecting millions of websites | Tech Feed - CPN DEV

  4. Pingback: WordPress rolls out update to fix security flaw affecting millions of websites | Bain Daily

  5. Pingback: Mashable – My Short List

  6. Thomas cloture says:

    Thank you a lot!

  7. TredertinDex says:

    Genericons package by default. Hundreds of WordPress themes and plugins that make use of the Genericons package, could be vulnerable to a DOM-based XSS vulnerability affecting millions of WordPress installations.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s