WordPress 4.1.2 is now available. This is a critical security release for all previous versions and it is strongly recommended to update your sites immediately. A number of plugins also released security fixes yesterday. Keep everything updated to stay secure.
Major security changes:
- A serious critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.
- Files with invalid or unsafe names could be uploaded.
- Some plugins are vulnerable to an SQL injection attack.
- A very limited cross-site scripting vulnerability could be used as part of a social engineering attack.
- Four hardening changes, including better validation of post titles within the Dashboard.
- WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.
