WordPress 4.2.2 Security and Maintenance Release

WordPress 4.2.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

Version 4.2.2 addresses two security issues:

  • The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.
  • WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue. Reported separately by Rice Adu and Tong Shi.

The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor. This issue was reported by Mahadev Subedi.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.2 also contains fixes for 13 bugs from 4.2. For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.2.

Thanks to everyone who contributed to 4.2.2:

Aaron Jorbin, Andrew Ozz, Andrew Nacin, Boone Gorges, Dion Hulse, Ella Iseulde Van Dorpe, Gary Pendergast, Hinaloe, Jeremy Felt, John James Jacoby, Konstantin Kovshenin, Mike Adams, Nikolay Bachiyski, taka2, and willstedt.

Reposted from

WordPress 4.2.1 Security Release

WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnönen.

WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.

For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.1 or venture over to Dashboard → Updates and simply click “Update Now”.

Reposted from

WordPress 4.2 “Powell”

Version 4.2 of WordPress, named “Powell” in honor of jazz pianist Bud Powell, is available for download or update in your WordPress dashboard. New features in 4.2 help you communicate and share, globally.

Introducing WordPress 4.2 “Powell”

Introducing WordPress 4.2 "Powell"

An easier way to share content

Press ThisClip it, edit it, publish it. Get familiar with the new and improved Press This. From the Tools menu, add Press This to your browser bookmark bar or your mobile device home screen. Once installed you can share your content with lightning speed. Sharing your favorite videos, images, and content has never been this fast or this easy.

Extended character support

Character support for emoji, special charactersWriting in WordPress, whatever your language, just got better. WordPress 4.2 supports a host of new characters out-of-the-box, including native Chinese, Japanese, and Korean characters, musical and mathematical symbols, and hieroglyphs.

Don’t use any of those characters? You can still have fun — emoji are now available in WordPress! Get creative and decorate your content with 💙, 🐸, 🐒, 🍕, and all the many other emoji.

Customizer theme switcher

Switch themes in the Customizer

Browse and preview your installed themes from the Customizer. Make sure the theme looks great with your content, before it debuts on your site. oEmbed example

Even more embeds

Paste links from and Kickstarter and watch them magically appear right in the editor. With every release, your publishing and editing experience get closer together.

Inline plugin updates

Streamlined plugin updates

Goodbye boring loading screen, hello smooth and simple plugin updates. ClickUpdate Now and watch the magic happen.

Under the Hood

utf8mb4 support

Database character encoding has changed from utf8 to utf8mb4, which adds support for a whole range of new 4-byte characters.

JavaScript accessibility

You can now send audible notifications to screen readers in JavaScript withwp.a11y.speak(). Pass it a string, and an update will be sent to a dedicated ARIA live notifications area.

Shared term splitting

Terms shared across multiple taxonomies will be split when one of them is updated. Find out more in the Plugin Developer Handbook.

Complex query ordering

WP_Query, WP_Comment_Query, and WP_User_Query now support complex ordering with named meta query clauses.

The Team

Drew JaynesThis release was led by Drew Jaynes, with the help of these fine individuals. There are 283 contributors with props in this release, a new high. Pull up some Bud Powell on your music service of choice, and check out some of their profiles:

@mercime, A5hleyRich, Aaron D. Campbell, Aaron Jorbin,abhishekfdd, Adam Silverstein, Ahmad Awais, Alex King, Alex Mills (Viper007Bond),Alin Marcu, Allan Collins, Andrea Fercia, Andrew Bauer, Andrew Nacin, Andrew Norcross, Andrew Ozz, Ankit Gade, Ankit K Gupta, Anton Timmermans, Aram Zucker-Scharff, ArminBraun, Ashfame, Austin Matzko, avryl, Barry Kooij, Beau Lebens, Ben Doherty (Oomph, Inc), Billy Schneider, Boone B. Gorges, Brandon Kraft, Brian Krogsgard, Brian Watson, CalEvans, carolinegeven, Casey Driscoll, Caspie, Catalin Dogaru, Chip Bennett, chipx86, ChriCo, Chris Baldelomar, Chris Olbekson, Christian Foellmann, Christopher Finke, Clifton Griffin, Code Master, Corphi, Courtney Ivey,Craig Ralston, cweiske, Daisuke Takahashi, Damian, Daniel Bachhuber, Daniel Jalkut (Red Sweater), Darin Kotter, Darren Ethier (nerrad), Daryl L. L. Houston (dllh), Dave McHale, David A. Kennedy, David Anderson, David Herrera, Davide ‘Folletto’ Casali,davideugenepratt, davidhamiltron, Denis de Bernardy, Derek Herman, Derek Smart,designsimply, Dion Hulse, dipesh.kakadiya, Dominik Schilling, doublesharp, DzeryCZ,Dzikri Aziz, e.mazovetskiy, Eduardo Reveles, Edward Caissie, Elio Rivero, Ella Iseulde Van Dorpe, elliottcarlson, enej, Eric Andrew Lewis, Eric Binnion, Erick Hitter, Evan Solomon, Fabien Quatravaux, fhwebcs, Florian Simeth, Frank, Frank P. Walentynowicz, Franz Josef Kaiser, Gary Cao, Gary Jones, Gary Pendergast, Geert De Deckere, genkisan, George Stephanis, Graham Armfield, Gustavo Bordoni, hakre,Harish Chaudhari, hauvong, Helen Hou-Sandí, herbmillerjr, Hew, horike, Hugh Lashbrooke, Hugo Baeta, Ian Dunn, ianmjones, idealien, imath, Ipstenu (Mika Epstein), J.D. Grimes, Jack Lenox, James Collins, janhenckens, Jeff Farthing, Jeffrey de Wit, Jeremy Felt, Jesin A, jipmoors, Joan Artes, Joe Dolson, Joe McGill, Joel Bernerman,Joen Asmussen, John Blackbourn, John Eckman, John James Jacoby, John Levandowski, Jonathan Desrosiers, joost de keijzer, Joost de Valk, Jose Castaneda,Josh Levinson, jphase, Julio Potier, Justin Kopepasah, Justin Sternberg, Justin Watt,K.Adam White, Kailey (trepmal), Kelly Dwan, Kevin Ruscoe, Kim Parsell, Kite,Konstantin Kovshenin, Konstantin Obenland, Lance Willett, Leonard, Leonardo Giacone, Liam Gladdy, maimairel, Mako, Manny Fleurmond, marcelomazza, Marco Chiesi, Marcus Kazmierczak, Marin Atanasov, Mario Peshev, Marius (Clorith), Mark Jaquith, Mark Senff, Marko Heijnen, Matt Gibbs, Matt Martz, Matt Mullenweg, Matt Wiebe, Matt Zak, Matthew Boynes, Matthew Eppelsheimer, Matthew Haines-Young,mattyrob, Max Cutler, mehulkaklotar, Mel Choyce, meloniq, Michael Adams (mdawaffe), Michael Arestad, Michael Beckwith, michalzuber, Mike Glendinning, Mike Hansen, Mike Jordan, Mike Schinkel, MikeNGarrett, Milan Dinic, mmn-o, Mohammad Jangda, MomDad, Morgan Estes, Morpheu5, Naoko Takano, nathan_dawson, Neil Pie, Nick Halsey, nicnicnicdevos, Nikhil Vimal, ninnypants, Nithin K R, Nuno Morgadinho, OriginalEXE, Paresh Radadiya, Pat Hawks, Paul Bearne, Paul Schreiber,Paul Wilde, pavelevap, Payton Swick, Pete Mall, Pete Nelson, Peter Wilson, Pippin Williamson, podpirate, postpostmodern, Prasath Nadarajah, prasoon2211, Primoz Cigler, r-a-y, Rachel Baker, rahulbhangale, Rami Yushuvaev, Rastislav Lamos,Ravindra Pal Singh, Rian Rietveld, Ritesh Patel, Robert Chapin, Rodrigo Primo, Ross Wintle, Ryan Boren, Ryan Marks, sagarjadhav, samo9789, samuelsidler, Scott Grant,Scott Reilly, Scott Taylor, scott.gonzalez, ScreenfeedFr, scribu, Sean Hayes, Sergej Muller, Sergey Biryukov, sevenspark, Simon Wheatley, Siobhan, sippis, Slobodan Manic, solarissmoke, Stephane Daury, Stephanie Leary, Stephen Edgar, Steve Grunwell, stevehickeydesign, Steven Word, Takashi Irie, Takuro Hishikawa, theMikeD,thomaswm, Thorsten Frommen, Till, Timothy Jacobs, tiqbiz, tmatsuur, tmeister,Tobias Schutter, TobiasBg, tomdxw, Travis Northcutt, trishasalas, Ty Carlson, UaMV,Udit Desai, Ulrich Sossou, Veritaserum, voldemortensen, VolodymyrC, vortfu,welcher, Weston Ruter, William Earnhardt, and WordPressor.

Special thanks go to Siobhan McKeown for producing the release video and Cami Kaos for the voice-over.

Finally, thanks to all of the contributors who provided subtitles for the release video, which at last count had been translated into 30 languages!

Adrian Pop, Alin Marcu, Bagerathan Sivarajah, Besnik, Bjørn Johansen, Chantal Coolsma, cubells, Daisuke Takahashi, Diana K. Cury, DjZoNe, dyrer, Elzette Roelofse,fxbenard, TacoVerdo, Gabriel Reguly, Jenny Wong, Gary Jones, Håvard Grimelid,Joachim Jensen, Jimmy Xu, Junko Nukaga, Justina, Kenan Dervisevic, Kostas Vrouvas,Krzysztof Trynkiewicz, Luís Rodrigues, Luis Rull, Mark Thomas Gazel , Marius Jensen,matthee, Mattias Tengblad, Matúš Záhradník, Mayuko Moriyama, Michal Vittek,Milan Dinić, MrShemek, Naoko Takano, pavelevap, Peter Holme Obrestad, Petya Raykovska, Przemysław Mirota, qraczek, Rafa Poveda, Rami Yushuvaev, Rasheed Bydousi, Rhoslyn Prys, Robert Axelsen, Sergey Biryukov, Siobhan Bamber, Stephen Edgar, ک To Have داشتن, Torsten Landsiedel, Victor J. Quesada, Wolly, Xavi Ivars, Xavier Borderie

If you want to follow along or help out, check out Make WordPress and our core development blog. Thanks for choosing WordPress. See you soon for version 4.3!

Reposted from

WordPress 4.1.2 Security Release

WordPress 4.1.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams, andAndrew Nacin of the WordPress security team.

We also fixed three other security issues:

  • In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
  • In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
  • Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.

We also made four hardening changes, discovered by J.D. Grimes, Divyesh Prajapati,Allan Collins and Marc-Alexandre Montpas.

We appreciated the responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.

Download WordPress 4.1.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.1.2.

Thanks to everyone who contributed to 4.1.2: Allan Collins, Alex Concha, Andrew Nacin, Andrew Ozz, Ben Bidner, Boone Gorges, Dion Hulse, Dominik Schilling, Drew Jaynes, Gary Pendergast, Helen Hou-Sandí, John Blackbourn, and Mike Adams.

A number of plugins also released security fixes yesterday. Keep everything updated to stay secure. If you’re a plugin author, please read this post to confirm that your plugin is not affected by the same issue. Thank you to all of the plugin authors who worked closely with our security team to ensure a coordinated response.

Already testing WordPress 4.2? The third release candidate is now available (zip) and it contains these fixes. For more on 4.2, see the RC 1 announcement post.

Reposted from

WordPress 4.1 “Dinah”

Version 4.1 of WordPress, named “Dinah” in honor of jazz singer Dinah Washington, is available for download or update in your WordPress dashboard. New features in WordPress 4.1 help you focus on your writing, and the new default theme lets you show it off in style.

Introducing Twenty Fifteen


Our newest default theme, Twenty Fifteen, is a blog-focused theme designed for clarity.

Twenty Fifteen has flawless language support, with help from Google’s Noto font family.

The straightforward typography is readable on any screen size.

Your content always takes center stage, whether viewed on a phone, tablet, laptop, or desktop computer.

Distraction-free writing


Just write.

Sometimes, you just need to concentrate on putting your thoughts into words. Try turning on distraction-free writing mode. When you start typing, all the distractions will fade away, letting you focus solely on your writing. All your editing tools instantly return when you need them.

The Finer Points

Choose a language

Right now, WordPress 4.1 is already translated into over forty languages, with more always in progress. You can switch to any translation on the General Settings screen.

Log out everywhere

If you’ve ever worried you forgot to sign out from a shared computer, you can now go to your profile and log out everywhere.

Vine embeds

Embedding videos from Vine is as simple as pasting a URL onto its own line in a post. See the full list of supported embeds.

Plugin recommendations

The plugin installer suggests plugins for you to try. Recommendations are based on the plugins you and other users have installed.

Under the Hood

Complex Queries

Metadata, date, and term queries now support advanced conditional logic, like nested clauses and multiple operators — A AND ( B OR C ).

Customizer API

The customizer now supports conditionally showing panels and sections based on the page being previewed.

<title> tags in themes

add_theme_support( 'title-tag' ) tells WordPress to handle the complexities of document titles.

Developer Reference

Continued improvements to inline code documentation have made the developer reference more complete than ever.

The Choir

This release was led by John Blackbourn, with the help of these awesome folks. Check out some of their profiles while listening to Dinah Washington on the music service of your choice:

Aaron D. Campbell, Aaron Jorbin, Adam Silverstein, akumria, Alex Concha, Alex Mills (Viper007Bond), Alex Shiels, Allan Collins, Amaury Balmer, Amruta Bhosale, Andrea Fercia, Andrea Gandino, Andrew Munro (sumobi), Andrew Nacin, Andrew Ozz,Andrew Ryno, Andrey “Rarst” Savchenko, Ankit Gade, Ankit K Gupta, antpb,arippberger, Austin Matzko, Bainternet, Barry Kooij, Ben Dunkle, Ben May, Bernhard Riedl, Birgir Erlendsson (birgire), bobbingwide, Boone B. Gorges, Brady Vercher,Bram Duvigneau, Brandon Kraft, Brian DiChiara, Brian Richards, Brian Watson,Camden Segal, Captain Theme, Carlos Zuniga, Caspie, ccprice, Charles Fulton,ChriCo, Chris Aprea, Chris Jean, Chris Marslender, Chris Reynolds, chriscct7, chrisl27,Christian Foellmann, Christopher Finke, Corey Snow, Corphi, curtjen, Damon Cook,Dan Cameron, Daniel Bachhuber, Daniel Convissor, Darren Ethier (nerrad), Daryl Koopersmith, Dave McHale, David A. Kennedy, David Herrera, David Laietta, David Wood, DavidTheMachine, dcavins, Dennis Ploetner, Dion Hulse, Dirk Weise, Dominik Schilling, Dominik Schwind, Drew Jaynes, Dustin Filippini, DustinHartzler, Elio Rivero,Eric Binnion, Eric Holmes, Eric Lewis, Fabien Quatravaux, florianziegler, Gabe Shackle, Gary Cao, Gary Pendergast, Gennady Kovshenin, George Olaru, George Stephanis, Greg Rickaby, Gregory Cornelius, Gregory Karpinsky (@tivnet), Gustavo Bordoni, hardy101, hauvong, Helen Hou-Sandí, heshiming, honeysilvas,hugodelgado, Ian Stewart, ianmjones, Ignacio Cruz Moreno, imath, Ipstenu (Mika Epstein), Ivan Kristianto, J.D. Grimes, jaimieolmstead, jakub.tyrcha, janhenckens,Janneke Van Dorpe, Japh, Jared Wenerd, jarednova, jeanyoungkim, Jeff Farthing, Jeff Stieler, Jeremy Felt, Jeremy Herve, Jesin A, Jesper Johansen (jayjdk), Jesper van Engelen, Jesse Pollak, jipmoors, Joe Dolson, Joe McGill, John Eckman, johnrom,johnstonphilip, Jon Brown, Jon Cave, Jonathan Brinley, Jonathan Desrosiers, Joost de Valk, Jordi Cabot, Joshua Abenazer, JOTAKI Taisuke, jrf, julien731, Justin Sainton,Justin Sternberg, K.Adam White, Kailey (trepmal), Kaito, kamelkev, karpstrucking,keesiemeijer, Kelly Dwan, Kevin Langley, Kiko Doran, Kim Parsell, Kirk Wight, kitchin,Knut Sparhell, Konstantin Kovshenin, Konstantin Obenland, Kostas Vrouvas, kraftner,kristastevens, Kurt Payne, Lance Willett, Laurens Offereins, linuxologos, Liuiza Arunas, loushou, Lutz Schroer, Manoz69, mantismamita, marco, Mario Peshev,Marius (Clorith), Mark Hudnall, Mark Jaquith, Mark Senff, Marko Heijnen,marsjaninzmarsa, Matias Ventura, Matt Mullenweg, Matt Wiebe, Matthew Boynes,Matthew Haines-Young, mattkeys, Maura Teal, Mel Choyce, Mert Yazicioglu, Michael Adams (mdawaffe), Michael Arestad, Michael Beckwith, Michael Cain, Michael Pick,michalzuber, Michelle Langston, Miguel Fonseca, Mike Hansen, Mike Jolley, Mike Nelson, Mike Schroder, Mikey Arce, Mitch Canter (studionashvegas), Morgan Estes,Morten Rand-Hendriksen, mvd7793, Nashwan Doaqan, Niall Kennedy, Nick Halsey,Nikhil Vimal (NikV), Nikola Nikolov, nobleclem, noplanman, Nowell VanHoesen,OriginalEXE, p_enrique, Paul, Paul de Wouters, Paul Schreiber, Paul Wilde, pavelevap,Peter Chester, Peter J. Herrel, Peter Westwood, Peter Wilson, Philip Arthur Moore,phpmypython, Pippin Williamson, Prasath Nadarajah, psycleuk, Ptah Dunbar,quietnic, Rachel Baker, Rami Yushuvaev, ramiabraham, Reuben Gunday, Rian Rietveld, Richard Archambault, Ricky Lee Whittemore, Robert Chapin, Rodrigo Primo,Ryan Boren, Ryan Kienstra, Ryan McCue, Sakin Shrestha, Sam Hotchkiss, Samuel Wood (Otto), Scott Kingsley Clark, Scott Reilly, Scott Taylor, Sergey Biryukov, Shawn Hooper, Simon Pollard, Simon Wheatley, skaeser, Slobodan Manic, socki03,solarissmoke, Stephane Daury, Stephen Edgar, Stephen Harris, Steve Grunwell,Sumit Singh, TacoVerdo, Takashi Irie, Takayuki Miyauchi, Tammie, Tareq Hasan,Taylor Lovett, Thorsten Frommen, Till Kruss, Tobias Schutter, TobiasBg, Toby McKes,Tom J Nowell, Tomas Mackevicius, TomHarrigan, Topher, Torsten Landsiedel, Tracy Levesque, transom, Travis Smith, Ty Carlson, Udit Desai, Umesh Kumar, Vinod Dalvi,vlajos, voldemortensen, Weston Ruter, Yoav Farhi, Yuta Sekine, Zack Rothauser, andZack Tollman.

There were 283 contributors to this release, again a new high.

If you want to help out or follow along, check out Make WordPress and our core development blog.

Thanks for choosing WordPress. Happy holidays and see you next year for version 4.2!

Reposted from


WordPress 4.2.2 Security and Maintenance Release

WordPress 4.2.2 is now available. This is a critical security release for all previous versions and …

More in Wordpress


Passwords and Passphrases, you’re most common security measure

The first and most common piece of security everyone is aware of and using is a password or hopefull…

More in Security