WordPress Security Update 4.8.2 – Update Immediately

WordPress Core version 4.8.2 has just been released. This is a minor update and a security release which means that your sites will update automatically within the next 24 hours unless you have disabled auto updates.

The update includes a fix to $wpdb->prepare() to help protect against SQLi injection attacks. WordPress core is not vulnerable to SQLi injection attacks directly, but certain plugins and themes may be vulnerable depending on how they use the $wpdb->prepare() function in their code. This fix alone is reason to update immediately to 4.8.2.

The release fixes five cross site scripting vulnerabilities. These are in:

  • oEmbed discovery
  • The visual editor
  • The plugin editor
  • In template names

Two path traversal vulnerabilities were fixed. These are:

  • In the file unzipping code
  • In the customizer

An open redirect was also fixed on the user and term editing screens. 4.8.2 also includes 6 maintenance fixes.

Now that the existence of these vulnerabilities is public, it becomes much more likely that they will be exploited. It is very important that you update as soon as possible to 4.8.2.

To update manually now you can sign into your WordPress site, mouse over the Dashboard on the top left and click ‘Updates’ and complete the update process.

Please share this information with the rest of the community to ensure everyone updates in a timely fashion. Thanks.

Resources:

Did you enjoy this post? Share it!

Comments

9 Comments
  • Thank you very much for this heads-up.

  • Thank you for share it.

  • Many of my websites updates from 4.7.5 to 4.7.6 too. I can't find anything about Wordpress 4.7.6, but I believe that patches the exploit too? Can you confirm? I don't want to update all of them to 4.8.X right now.

  • Thanks guys for your continued efforts in WordPress security. At FanVictor.com - Which is a Fantasy Sports Platform we use your Premium service and its great. Thank you !

  • The Events Calendar, Pods and Yoast SEO plugins all have WP 4.8.2 related updates out.

  • I am having issues with the following:

    Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 1048577 bytes) in /home/wwworeillyconcre/public_html/wp-content/plugins/wordfence/lib/wordfenceScanner.php on line 317

    This is happening to a number of sites on my dedicated server. Can you advise how to fix this?
    Thanks for your anticipated assistance.
    Kevin.

    • Hi Kevin! Unfortunately, we're not able to offer support via blog comments, but our support team would be very happy to help you. If you're a Wordfence Premium user, you can contact Premium support by logging in to your Wordfence.com account and clicking "support" from any page; if you're a free user, please make a new post here. Either way, we'll get on our support staff on it as soon as humanly possible. Thanks!

  • Hi guys, can I hav your advise on the WordPress version because I had a bit confuse. I had a WordPress v3.8 and now updated to 3.8.22 which is latest release for v3.8. Do I need to upgrade to 4.8.2? I do not need WordPress new features in 4.8.2 as some plugins may not compatible on 4.8.2. I had free Wordfence version installed. If keep as v3.8.22 will these hav a risk on my site? Thanks.

    • Hi Ng,

      We're unable to offer support in the comments of our blog, but our support staff would be happy to answer any questions you may have in our support forums - please do post there and we'll help you out! :)