14 DAY TRIAL // The WordPress team has put out version 4.4.1 that fixes an XSS (cross-site scripting) vulnerability that would have allowed attackers to take control over a compromised website.
The cross-site vulnerability was discovered by independent Filipino security researcher Crtc4L, who reported the issue via WordPress' bug bounty program hosted on the HackerOne service.
No details are available at this moment on how the XSS bug works, and the changelog doesn't reveal any XSS-like fixes. It is possible that the WP team refrained from releasing details about the bug until most of its users have updated.
Besides the cross-site scripting issue, the developers also fixed a problem on WordPress sites running an older version of OpenSSL, which encountered errors when trying to communicate with other services via plugins.
Other non-security related changes include how the CMS deals with reused URL slugs, which sometimes redirect site visitors to the wrong page.
Additionally, Unicode 8.0 support has been added, meaning users have full access to the latest emoji characters approved by the Unicode Consortium.
WordPress sites are configured to receive automatic updates within 24 hours of their official release. Because this is a security release, it is advised that you go to your admin panel and trigger the 4.4.1 update manually, if it hasn't been installed by now.
You can download your own copy of WordPress from Softpedia, GitHub, or the official website.