WordPress.org released version 4.8.2 of its content management system that fixes nine security issues, five of which involve cross-site scripting (XSS) vulnerabilities.
The top-ranked flaw was found in $wpdb->prepare() which if left unpatched can create unexpected and unsafe queries leading to an SQL injection. The organisation reported that WordPress core is not directly vulnerable to this problem, but it was decided to harden this area to prevent plugins and themes from accidentally causing a vulnerability.
The XSS issues were found the 0Embed discovery, the visual editor, the plugin editor, template names and in the link modal. Recently, WordPress found that a very persistent malicious actor had added a backdoor to a plugin called Display Widgets that installed backdoors on possibly 200,000 websites since June 21.
The other issues were two path traversal vulnerabilities being found in the file unzipping code and the customiser and finally an open redirect was uncovered user and term edit screens.
All WordPress versions from 4.8.1 and earlier are affected and must be updated, the organisation said.