On May 6, 2015, WordPress 4.2.2 was released to the public. This is both a security update for all previous WordPress versions, and a maintenance release for versions 4.2 and newer.
Installation/Update Information
To download WordPress 4.2.2, update automatically from the Dashboard > Updates menu in your site’s admin area or visit https://wordpress.org/download/release-archive/.
For step-by-step instructions on installing and updating WordPress:
If you are new to WordPress, we recommend that you begin with the following:
- New To WordPress – Where to Start
- First Steps With WordPress or Upgrading WordPress Extended
- WordPress Lessons
Summary
From the announcement post, WordPress 4.2.2 fixes a cross-site scripting vulnerability contained in an HTML file shipped with recent Genericons packages included in the Twenty Fifteen theme as well as a number of popular plugins by removing the file. Auto-updates and manual updates will remove this file, however manual installations and those using VCS checkout (like SVN) will not remove this file. Version 4.2.2 also improves on a fix for a critical cross-site scripting vulnerability introduced in 4.2.1.
The release also includes hardening for a potential cross-site scripting vulnerability when using the Visual editor.
In addition to the security fixes, WordPress 4.2.2 contains fixes for 13 bugs from 4.2.1, including:
- Fixes an emoji loading error in IE9 and IE10
- Fixes a keyboard shortcut for saving from the Visual editor on Mac
- Fixes oEmbed for YouTube URLs to always expect https
- Fixes how WordPress checks for encoding when sending strings to MySQL
- Fixes a bug with allowing queries to reference tables in the dbname.tablename format
- Lowers memory usage for a regex checking for UTF-8 encoding
- Fixes an issue with trying to change the wrong index in the wp_signups table on utf8mb4 conversion
- Improves performance of loop detection in _get_term_children()
- Fixes a bug where attachment URLs were incorrectly being forced to use https in some contexts
- Fixes a bug where creating a temporary file could end up in an endless loop.
List of Files Revised
wp-admin/js/editor-expand.js wp-admin/about.php wp-admin/includes/file.php wp-admin/includes/update-core.php wp-admin/includes/upgrade.php wp-includes/taxonomy.php wp-includes/compat.php wp-includes/version.php wp-includes/post.php wp-includes/js/wp-emoji.js wp-includes/js/wp-emoji-loader.js wp-includes/js/tinymce/tiny_mce_popup.js wp-includes/js/tinymce/tinymce.min.js wp-includes/js/tinymce/plugins/wordpress/plugin.js wp-includes/js/tinymce/tinymce.js wp-includes/comment.php wp-includes/wp-db.php wp-includes/pluggable.php wp-content/themes/twentyfifteen/genericons/example.html (deleted) wp-content/themes/twentythirteen/genericons/example.html (deleted) wp-content/themes/twentyfourteen/genericons/example.html (deleted) readme.html