The vulnerability affects the WordPress versions 3.9.3, 4.1.1, 4.1.2, and the latest WordPress version 4.2. WordPress has addressed the vulnerability with the recent release of version 4.2.1 on Monday, April 27, 2015. A second update to the WordPress engine was released last night.
“This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately,” the WordPress team said of the latest version.
Upon reflection and consultation with conversation with colleagues, 3Planets – Internet Solutions STRONGLY recommends that you install the plugin “Peter’s Literal Comments” to prevent any such attack on your website – even if you do not allow comments on your website. Peter’s Literal Comments converts single quotes, double quotes, the less than symbol (<), the greater than symbol (>), and ampersands (&) to HTML entities whenever a comment is posted, so that they are displayed as-is when someone views the comment.
This plugin is small, has a low overhead and is elegant. To read more about this security flaw check out the article “Hacking WordPress Website with Just a Single Comment“. To get the full description for Peter’s Literal Comments, visit his plugin page How to disable HTML in WordPress comments.