YNOT EUROPE – Those who have been following YNOT Europe’s series about employing WordPress as a website content management platform need to be aware that WordPress on Thursday issued a critical update and is encouraging all users of the open-source software to patch their installations as quickly as possible.

In an email to registered users, WordPress creator Matt Mullenweg explained the update fixes persistent cross-site-scripting flaws that could allow hackers to install malicious code web server administrators would find difficult, if not next-to-impossible, to erase.

“We’ve fixed a pretty critical vulnerability in WordPress’ core HTML sanitation library, and because this library is used lots of places, it’s important that everyone update as soon as possible,” Mullenweg noted in the email. “I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for. In the spirit of the holidays, consider helping your friends as well.”

In testament to the seriousness of the vulnerability, Mullenweg also asked other developers to take a look at the actual code employed in the fix.

“We’ve given [the fix] a lot of thought and review, but since this is so core we want as many brains on it as possible,” he wrote on the WordPress blog.

Mullenweg and his crew were wise to spread the word as quickly and thoroughly as possible on this one. Persistent XSS attacks are much more dangerous than their standard XSS cousins, because code for the persistent variety burrow into a server and are tough to ferret out and eliminate. The malicious payload consequently becomes a permanent fixture on the affected pages.

So far no exploits have been reported in the wild, but a senior security advisor at anti-virus company Sophos indicated taking advantage of the WordPress XSS vulnerability would be “quite trivial for folks with malicious intent.”

“The flaws exist in parts of the code which are case-sensitive when detecting which protocols are allowed in certain parts of the application,” Chester Wisniewski said. “The update prohibits evading the rules with mixed case input.”

The update, version 3.0.4, is available through the update page in WordPress dashboards or may be downloaded here.