WordPress administrators are once again in trouble.
WordPress version 4.9.3 was released earlier this week with patches for a total 34 vulnerabilities, but unfortunately, the new version broke the automatic update mechanism for millions of WordPress websites.
WordPress team has now issued a new maintenance update, WordPress 4.9.4, to patch this severe bug, which WordPress admins have to install manually.
According to security site WordFence, when WordPress CMS tries to determine whether the site needs to install an updated version, if available, a PHP error interrupts the auto-update process.
If not updated manually to the latest 4.9.4 version, the bug would leave your website on WordPress 4.9.3 forever, leaving it vulnerable to future security issues.
Here’s what WordPress lead developer Dion Hulse explained about the bug:
“#43103-core aimed to reduce the number of API calls which get made when the auto-update cron task is run. Unfortunately, due to human error, the final commit didn’t have the intended effect and instead triggers a fatal error as not all of the dependencies of find_core_auto_update() are met. For whatever reason, the fatal error was not discovered before 4.9.3’s release—it was a few hours after release when discovered.”
The issue has since been fixed, but as reported, the fix will not be installed automatically.
Thus, WordPress administrators are being urged to update to the latest WordPress release manually to make sure they’ll be protected against future vulnerabilities.
To manually update their WordPress installations, admin users can sign into their WordPress website and visit Dashboard→Updates and then click “Update Now.”
After the update, make sure that your core WordPress version is 4.9.4.
However, not all websites being updated to the faulty update have reported seeing this bug. Some users have seen their website installed both updates (4.9.3 and 4.9.4) automatically.
Moreover, the company released two new maintenance updates this week, but none of them includes a security patch for a severe application-level DoS vulnerability disclosed last week that could allow anyone to take down most WordPress websites even with a single machine.
Since WordPress sites are often under hackers target due to its wide popularity in the content management system (CMS) market, administrators are advised to always keep their software and plugins up-to-date.
- Hidden Backdoor Found In WordPress Captcha Plugin Affects Over 300,000 Sites
- Nearly 2000 WordPress Websites Infected with a Keylogger
- Unpatched DoS Flaw Could Help Anyone Take Down WordPress Websites
- Patch Tuesday: Microsoft Releases Update to Fix 53 Vulnerabilities
- Firefox 58 to Block Canvas Browser Fingerprinting By Default to Stop Online Tracking