WordPress 4.8.2 Security and Maintenance Release

Today, on September 19th, 2017, the official release of WordPress 4.8.2 has been announced. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.8.1 and earlier are affected by these security issues:

  1. $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability.
  2. A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery.
  3. A cross-site scripting (XSS) vulnerability was discovered in the visual editor.
  4. A path traversal vulnerability was discovered in the file unzipping code.
  5. A cross-site scripting (XSS) vulnerability was discovered in the plugin editor.
  6. An open redirect was discovered on the user and term edit screens.
  7. A path traversal vulnerability was discovered in the customizer.
  8. A cross-site scripting (XSS) vulnerability was discovered in template names.
  9. A cross-site scripting (XSS) vulnerability was discovered in the link modal.

In addition to the security issues above, WordPress 4.8.2 contains 6 maintenance fixes to the 4.8 release series. For more information, see the release notes or consult the list of changes.

Download WordPress 4.8.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.8.2.

Add new comment