The content management system rolled out an update Thursday that addressed a security flaw that affected millions of websites. The vulnerability, first spotted by security researchers at Sucuri, leaves affected websites susceptible to an attack that could allow others to take control of the sites.
The flaw stems from a bad file within Genericons, which is preloaded into many WordPress sites by default, including the default TwentyFifteen theme and the JetPack plugin, according to researchers. The file leaves websites open to a cross-site scripting (XSS) vulnerability, which could potentially allow attackers a way to gain control of a website, says Mashable.
“Any WordPress plugin or theme that includes this file is open to an attack,” WordPress wrote in a post on its VaultPress blog addressing the matter.
The Sucuri researchers note that though the flaw is far-reaching, it would be a “bit harder to exploit” compared with other flaws, though the effects of an attack can be severe. For its part, WordPress says its latest patch removed the problematic files from its themes and plugins.
“Between the update and the very simple action that web hosts can take to protect we estimate that there are not too many vulnerable sites in the wild,” a WordPress spokesperson told Mashable, adding that “staying up to date on the latest and greatest version of WordPress is the single-best thing you can do to stay secure.”
Users can get the WordPress update from the updates menu in their main dashboard. The patch has already started rolling out to those with automatic updates enabled.