Two new exploits have been discovered in the WordPress content management system allowing potential hackers to take control of websites that use this service. This exploit allows the attacker to have access to such functionality as changing passwords, add administrators, or any other actions that a logged in administrator would have access to. These exploits are also extremely worrying because they work on WordPress 4.2, which is the current release that came out last week.
It was a Finnish Researcher named Jouko Pynnönen who works as a security firm called Klikki Oy who first documented in their blog saying
If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors, alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.
Klikki Oy has also posted a video showing the attack in progress
A patch for this exploit has been released and a patch for WordPress 4.2.1 has been released. All admins should go to Dashboard -> Updates and click “Update now”