Developers at WordPress are encouraging users of the content management system to download and apply the most recent update, pushed yesterday, to address a cross-site scripting (XSS) vulnerability.
According to WordPress the bug exists in all versions before 4.4 and if exploited, could allow a hacker to take control of an affected website.
An independent security researcher based in the Philippines that goes by the handle “Crtc4L” found the bug and was awarded a bounty through HackerOne.
According to Aaron Jorbin, a WordPress contributor who wrote about the update Wednesday, the bug allows for compromise by a remote attacker. It’s not clear exactly how dangerous the bug is however, as no further details about it, or the researcher who discovered it, have surfaced yet.
The update, 4.4.1, fixes 52 bugs in total. Some sites that had older versions of OpenSSL installed were unable to communicate with other services provided through some plugins, according to Jorbin.
Users can download 4.4.1 directly, or if they don’t have automatic background updates enabled on their site, download it via WordPress’ update function in the Dashboard.