{"id":4909,"date":"2017-09-19T22:17:15","date_gmt":"2017-09-19T22:17:15","guid":{"rendered":"https:\/\/wordpress.org\/news\/?p=4909"},"modified":"2022-11-18T22:53:14","modified_gmt":"2022-11-18T22:53:14","slug":"wordpress-4-8-2-security-and-maintenance-release","status":"publish","type":"post","link":"https:\/\/wordpress.org\/news\/2017\/09\/wordpress-4-8-2-security-and-maintenance-release\/","title":{"rendered":"WordPress 4.8.2 Security and Maintenance Release"},"content":{"rendered":"<p>WordPress 4.8.2 is now available. This is a <strong>security release<\/strong> for all previous versions and we strongly encourage you to update your sites immediately.<\/p>\n<p>WordPress versions 4.8.1 and earlier are affected by these security issues:<\/p>\n<ol>\n<li><code>$wpdb-&gt;prepare()<\/code>\u00a0can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we&#8217;ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by <a href=\"https:\/\/hackerone.com\/slavco\">Slavco<\/a><\/li>\n<li>A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery. Reported by xknown of the WordPress Security Team.<\/li>\n<li>A cross-site scripting (XSS) vulnerability was discovered in the visual editor. Reported by <a href=\"https:\/\/twitter.com\/brutelogic\">Rodolfo Assis (@brutelogic)<\/a>\u00a0of Sucuri Security.<\/li>\n<li>A path traversal vulnerability was discovered in the file unzipping code. Reported by\u00a0<a href=\"https:\/\/hackerone.com\/noxrnet\">Alex Chapman (noxrnet)<\/a>.<\/li>\n<li>A cross-site scripting (XSS) vulnerability was discovered in the plugin editor. Reported by \u9648\u745e\u7426 (Chen Ruiqi).<\/li>\n<li>An open redirect was discovered on the user and term edit screens. Reported by\u00a0<a href=\"https:\/\/hackerone.com\/ysx\">Yasin Soliman (ysx)<\/a>.<\/li>\n<li>A path traversal vulnerability was discovered in the customizer. Reported by Weston Ruter of the WordPress Security Team.<\/li>\n<li>A cross-site scripting (XSS) vulnerability was discovered in template names. Reported by\u00a0<a href=\"https:\/\/hackerone.com\/sikic\">Luka (sikic)<\/a>.<\/li>\n<li>A cross-site scripting (XSS) vulnerability was discovered in the link modal. Reported by\u00a0<a href=\"https:\/\/hackerone.com\/qasuar\">Anas Roubi (qasuar)<\/a>.<\/li>\n<\/ol>\n<p>Thank you to the reporters of these issues for practicing\u00a0<a href=\"https:\/\/make.wordpress.org\/core\/handbook\/testing\/reporting-security-vulnerabilities\/\">responsible disclosure<\/a>.<\/p>\n<p>In addition to the security issues above, WordPress 4.8.2 contains 6 maintenance fixes to the\u00a04.8 release series.\u00a0For more information, see the <a href=\"https:\/\/codex.wordpress.org\/Version_4.8.2\">release notes<\/a>\u00a0or consult the <a href=\"https:\/\/core.trac.wordpress.org\/query?status=closed&amp;milestone=4.8.2&amp;group=component&amp;col=id&amp;col=summary&amp;col=component&amp;col=status&amp;col=owner&amp;col=type&amp;col=priority&amp;col=keywords&amp;order=priority\">list of changes<\/a>.<\/p>\n<p><a href=\"https:\/\/wordpress.org\/download\/\">Download WordPress 4.8.2<\/a>\u00a0or venture over to Dashboard \u2192 Updates and simply click \u201cUpdate Now.\u201d Sites that support automatic background updates are already beginning to update to WordPress 4.8.2.<\/p>\n<p>Thanks to everyone who contributed to 4.8.2.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>WordPress 4.8.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.8.1 and earlier are affected by these security issues: $wpdb-&gt;prepare()\u00a0can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this [&hellip;]<\/p>\n","protected":false},"author":140668,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"episode_type":"","audio_file":"","cover_image":"","cover_image_id":"","duration":"","filesize":"","date_recorded":"","explicit":"","block":"","filesize_raw":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[14,15],"tags":[437],"class_list":["post-4909","post","type-post","status-publish","format-standard","hentry","category-releases","category-security","tag-minor-releases"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pZhYe-1hb","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts\/4909","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/users\/140668"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/comments?post=4909"}],"version-history":[{"count":4,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts\/4909\/revisions"}],"predecessor-version":[{"id":13939,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts\/4909\/revisions\/13939"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/media?parent=4909"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/categories?post=4909"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/tags?post=4909"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}