WordPress 4.8.2 is now available. The new security release came with several patches that fix 9 vulnerabilities affecting version 4.8.1 and earlier, including cross-site scripting (XSS), SQL injection, path traversal and open redirection vulnerabilities.
The SQL injection vulnerability has been discovered and reported by Slavco, the issue exists due to the $wpdb->prepare() can generate unexpected and unsafe queries leading to possible SQL injection. The core is not directly vulnerable to this flaw, but they have added hardening to stop plugins and themes from accidentally causing a vulnerability.
Five XSS vulnerabilities that affect oEmbed discovery, the visual editor, the plugin editor, template names and the link modal. The vulnerabilities have been discovered by security researchers and a member of the WordPress Security Team, the flaws were patched in the latest version of WordPress 4.8.2.
Two path traversal vulnerabilities that affect the customizer and file unzipping code have discovered and reported by another member of the WordPress Security Team and Alex Chapman.
The last one is an open redirect vulnerability that was discovered on the user and term edit screens. Reported by Yasin Soliman (ysx).
WordPress is reportedly the most popular website management or blogging system in use on the Web, supporting more than 60 million websites.
