Version 4.2.4

On August 4, 2015, WordPress 4.2.4 was released to the public. This is a security update for all previous WordPress versions.

Installation/Update Information

To download WordPress 4.2.4, update automatically from the Dashboard > Updates menu in your site’s admin area or visit https://wordpress.org/download/release-archive/.

For step-by-step instructions on installing and updating WordPress:

If you are new to WordPress, we recommend that you begin with the following:

Summary

From the announcement post, WordPress 4.2.4 fixes three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site (CVE-2015-2213).

It also includes a fix for a potential timing side-channel attack and prevents an attacker from locking a post from being edited.

In addition to the security fixes, WordPress 4.2.4 contains fixes for 4 bugs from 4.2.3, including:

  • FIX – WPDB: When checking the encoding of strings against the database, make sure we’re only relying on the return value of strings that were sent to the database. #32279
  • FIX – Don’t blindly trust the output of glob() to be an array. #33093
  • FIX – Shortcodes: Handle do_shortcode(‘<[shortcode]’) edge cases. #33116
  • FIX – Shortcodes: Protect newlines inside of CDATA. #33106

List of Files Revised

readme.html
wp-admin/about.php
wp-admin/includes/class-wp-upgrader.php
wp-admin/includes/post.php
wp-admin/includes/update-core.php
wp-admin/js/nav-menu.js
wp-admin/js/nav-menu.min.js
wp-admin/post.php
wp-includes/class-wp-customize-widgets.php
wp-includes/class-wp-embed.php
wp-includes/default-widgets.php
wp-includes/formatting.php
wp-includes/l10n.php
wp-includes/post.php
wp-includes/shortcodes.php
wp-includes/theme.php
wp-includes/version.php
wp-includes/wp-db.php

First published

Last updated