A new WordPress version, 4.8.2, has been released. As this contains security fixes, all WordPress sites should be updated immediately.
The update includes a fix to $wpdb->prepare() to help protect against SQLi injection attacks. WordPress core is not vulnerable to SQLi injection attacks directly, but certain plugins and themes may be vulnerable depending on how they use the $wpdb->prepare() function in their code. This fix alone is reason to update immediately to 4.8.2.
The release fixes five cross-site scripting (XSS) vulnerabilities. These are in:
- oEmbed discovery
- The visual editor
- The plugin editor
- In template names
Two path traversal vulnerabilities were fixed. These are:
- In the file unzipping code
- In the customizer
An open redirect was also fixed on the user and term editing screens. 4.8.2 also includes 6 maintenance fixes.
If auto-updates are enabled (default), WordPress will update automatically since contains security fixes. Make sure your WordPress installation is updated.