WordPress has released an emergency fix for a zero-day vulnerability that leaves millions of websites open to hijacking attacks.
The WordPress 4.2.1 Security Release was announced in an advisory by WordPress consultant Gary Pendergast mere hours after the vulnerability was disclosed by bug hunter Jouko Pynnönen.
"A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability which could enable commenters to compromise a site," read the advisory.
"WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.
"WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those."
The flaw's discovery has caused ripples in the security community owing to its widespread reach and potential for harm.
"If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.
"Alternatively the attacker could change the administrator's password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system."
WordPress is one of the biggest website hosting platforms in the world and is used by millions of companies, including Time, CNN, UPS and Dow Jones. WordPress boasts that it "runs 23 percent of the internet".
The US Computer Emergency Readiness Team has since issued an advisory calling for WordPress users to install the patch as soon as they are able.
"WordPress 4.2 and prior versions contain critical cross-site scripting vulnerabilities. Exploitation of these vulnerabilities could allow a remote attacker to take control of an affected website," read the advisory.
"Users and administrators are encouraged to review the WordPress Security Release and upgrade to WordPress 4.2.1."
The zero-day is the latest in a long line of WordPress security problems. Researchers at security firm Sucuri uncovered a separate zero-day vulnerability in WordPress in February being exploited by hackers to infect thousands of websites.
Trustwave penetration testers reported in January uncovering an exploitable 'Ghost' Linux bug using WordPress-based attacks.
Delays to the roll-out of age verification for adult websites hasn't stopped government from considering extending them to more websites
Bluehole confirms rumours that Playstation 4 port is coming on 7 December
Atmospheric iodine works as a significant sink of tropospheric ozone, nullifying the harmful pollutant
A temperature rise of just 1.8° C would melt major ice sheets