Critical WordPress 4.2 vulnerability

Due to a critical security vulnerability announced on Sunday evening, we have disabled commenting on all dxw-hosted sites.

At 2100 on Sunday 26th April, a flaw in the way WordPress handles comments was published. This flaw could allow an attacker to inject HTML and Javascript into the pages of your website.

In so doing, they would be able to entirely take over your website, adding or removing any content and undertaking any action that an administrator is able to complete through the admin.

Due to the seriousness of this flaw we have disabled commenting across the GovPress platform pending a patch from WordPress. We expect that a patch will be released quickly and we will deploy it as soon as possible.

We will make further updates to this blog post as the situation develops. If you area a client and have any questions or concerns not covered here, please create a ticket – however, please bear with us as demand on the helpdesk is likely to be higher than normal.

The vulnerability is confirmed on WordPress 4.2, 4.1.2, 4.1.1, 3.9.3.

Update 11:24 – since the vulnerability requires the post to be excessively long (64 k) we’re restricting the blocking to comments which exceed a size threshold, so most, if not all, legitimate comments should soon be allowed.