WordPress users: Now would be an excellent time to make sure your system is up to date.
The content management system rolled out an update on Thursday that addressed a security flaw that affected millions of websites. The vulnerability, first spotted by security researchers at Sucuri, leaves affected websites susceptible to an attack that could allow others to take control of the sites.
The flaw stems from a bad file within Genericons, which is preloaded into many WordPress sites by default, including the default TwentyFifteen theme and the JetPack plugin, according to researchers. The file leaves websites open to cross-site scripting (XSS) vulnerability, which could potentially allow attackers a way to gain control of a website.
“Any WordPress plugin or theme that includes this file is open to an attack,” WordPress wrote in a post on its VaultPress blog addressing the problem. WordPress says its latest patch removed the problematic files from its themes and plugins.
Users can get the WordPress update from the updates menu in their main dashboard. The patch has already started rolling out to those with automatic updates enabled. We advise you to check that the update was installed on your system.
