ISO: WordPress 4.2 stored XSS vulnerability


Over the weekend a cross-site scripting (XSS) vulnerability in WordPress was publicly disclosed that affects all versions of WordPress prior to 4.2.1. This vulnerability could enable an attacker to execute arbitrary code on the plugin and theme editors of a WordPress site--which could enable full compromise of the site itself--if a specially crafted XSS payload were placed in the comments section and then viewed by an authenticated administrative user.

Yesterday, the WordPress security team released what they've classified as a "critical" security release for WordPress, 4.2.1. More information, including patching instructions, can be found here: < >. If your WP site uses background updates, please ensure it's working as expected on your site and that the patch has been applied.

A survey of WordPress instances hosted on campus indicates many UT WordPress instances remain vulnerable. The Information Security Office (ISO) considers this vulnerability to be a significant risk based on the low skill level required for successful exploitation and the prevalence of vulnerable WordPress sites. We recommend that campus units patch immediately if this hasn't yet been completed. Please note that we will schedule quarantines for vulnerable sites if they remain unpatched.

If you have any questions or concerns, please contact the Information Security Office at

Samuel Westerfeld
Network Security Analyst
Information Security Office
512-475-9242 |