WordPress 4.1.2 is now available. This is a critical security
release for all previous versions and we strongly encourage you
to update your sites immediately.
WordPress versions 4.1.1 and earlier are affected by a critical
cross-site scripting vulnerability, which could enable anonymous
users to compromise a site. This was reported by Cedric Van
Bockhaven and fixed by Gary Pendergast, Mike Adams, and Andrew
Nacin of the WordPress security team.
We also fixed three other security issues:
- In WordPress 4.1 and higher, files with invalid or unsafe
names could be uploaded. Discovered by Michael Kapfer and
Sebastian Kraemer of HSASec.
- In WordPress 3.9 and higher, a very limited cross-site
scripting vulnerability could be used as part of a social
engineering attack. Discovered by Jakub Zoczek.
- Some plugins were vulnerable to an SQL injection
vulnerability. Discovered by Ben Bidner of the WordPress
security team.
We also made four hardening changes, discovered by J.D. Grimes,
Divyesh Prajapati, Allan Collins, Marc-Alexandre Montpas and
Jeff Bowen.