Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

WordPress Security Update 4.8.2 – Update Immediately

This entry was posted in WordPress Security on September 19, 2017 by Mark Maunder   9 Replies

WordPress Core version 4.8.2 has just been released. This is a minor update and a security release which means that your sites will update automatically within the next 24 hours unless you have disabled auto updates.

The update includes a fix to $wpdb->prepare() to help protect against SQLi injection attacks. WordPress core is not vulnerable to SQLi injection attacks directly, but certain plugins and themes may be vulnerable depending on how they use the $wpdb->prepare() function in their code. This fix alone is reason to update immediately to 4.8.2.

The release fixes five cross site scripting vulnerabilities. These are in:

  • oEmbed discovery
  • The visual editor
  • The plugin editor
  • In template names

Two path traversal vulnerabilities were fixed. These are:

  • In the file unzipping code
  • In the customizer

An open redirect was also fixed on the user and term editing screens. 4.8.2 also includes 6 maintenance fixes.

Now that the existence of these vulnerabilities is public, it becomes much more likely that they will be exploited. It is very important that you update as soon as possible to 4.8.2.

To update manually now you can sign into your WordPress site, mouse over the Dashboard on the top left and click ‘Updates’ and complete the update process.

Please share this information with the rest of the community to ensure everyone updates in a timely fashion. Thanks.

Resources:

Did you enjoy this post? Share it!


4.29 (21 votes) Your rating:

9 Comments on "WordPress Security Update 4.8.2 – Update Immediately"

Brad September 19, 2017 at 7:19 pm • Reply

Thank you very much for this heads-up.

Prem September 19, 2017 at 9:43 pm • Reply

Thank you for share it.

Snuwerd September 20, 2017 at 3:13 am • Reply

Many of my websites updates from 4.7.5 to 4.7.6 too. I can't find anything about Wordpress 4.7.6, but I believe that patches the exploit too? Can you confirm? I don't want to update all of them to 4.8.X right now.

Victor September 20, 2017 at 6:08 am • Reply

Thanks guys for your continued efforts in WordPress security. At FanVictor.com - Which is a Fantasy Sports Platform we use your Premium service and its great. Thank you !

Luke Cavanagh September 21, 2017 at 9:55 am • Reply

The Events Calendar, Pods and Yoast SEO plugins all have WP 4.8.2 related updates out.

Kevin Greene September 25, 2017 at 11:17 am • Reply

I am having issues with the following:

Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 1048577 bytes) in /home/wwworeillyconcre/public_html/wp-content/plugins/wordfence/lib/wordfenceScanner.php on line 317

This is happening to a number of sites on my dedicated server. Can you advise how to fix this?
Thanks for your anticipated assistance.
Kevin.

Andie La-Rosa September 25, 2017 at 11:37 am • Reply

Hi Kevin! Unfortunately, we're not able to offer support via blog comments, but our support team would be very happy to help you. If you're a Wordfence Premium user, you can contact Premium support by logging in to your Wordfence.com account and clicking "support" from any page; if you're a free user, please make a new post here. Either way, we'll get on our support staff on it as soon as humanly possible. Thanks!

Ng September 28, 2017 at 12:04 am • Reply

Hi guys, can I hav your advise on the WordPress version because I had a bit confuse. I had a WordPress v3.8 and now updated to 3.8.22 which is latest release for v3.8. Do I need to upgrade to 4.8.2? I do not need WordPress new features in 4.8.2 as some plugins may not compatible on 4.8.2. I had free Wordfence version installed. If keep as v3.8.22 will these hav a risk on my site? Thanks.

Andie La-Rosa September 28, 2017 at 8:15 am • Reply

Hi Ng,

We're unable to offer support in the comments of our blog, but our support staff would be happy to answer any questions you may have in our support forums - please do post there and we'll help you out! :)

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.