WordPress 4.9.2 security release & YITH Wishlist vulnerability

On January 16th WordPress released a security update to patch a vulnerability in the latest version of WordPress.

According to the release notes (the update fixes a number of bugs too), “an XSS vulnerability was discovered in the Flash fallback files in MediaElement, a library that is included with WordPress. Because the Flash files are no longer needed for most use cases, they have been removed from WordPress.”

It is strongly recommended that you make sure your WordPress site is updated to protect your site from this vulnerability. If you’re not sure whether your site auto-updates for security releases, check your WordPress installation by logging into the WordPress admin panel (/wp-admin) or asking your web developer.

Also, WordPress security experts, Sucuri, have spotted an SQLi vulnerability in the popular YITH WooCommerce Wishlist plugin (used by over 500,000 WordPress sites). Flagged as “dangerous” this could allow attackers to access personal data from within the website. If you use this plugin, make sure you update immediately to the latest version.