WordPress — Secure and Latest Versions

 
As a courtesy to our customers, we maintain a list of recent versions and the important security updates for WordPress. Generally, the most current version of your CMS is the most secure, but if you have an older version of your CMS, it can be hard to find information on whether your version is secure or not.

Bookmark this KB, and we will continue to update it with the most current secure version information.


What is the latest secure version of WordPress?

WordPress 4.9.5 — Maintenance
WordPress 4.9.5 is a standard maintenance release which contains 29 maintenance fixes to the WordPress 4.9 series of releases a fix related to the WordPress Customizer and Media Library. Check out the full update and official release notes here.
 
WordPress 4.9.4 — Maintenance
WordPress 4.9.4 is a standard maintenance release which contains 1 maintenance fix to the WordPress 4.9 series of releases a fix related to WP Automatic Updates. Check out the full update and official release notes here.
 
 
WordPress 4.9.3 — Maintenance
WordPress 4.9.3 is a standard maintenance release which contains 34 maintenance fixes and enhancements to the WordPress 4.9 series of releases the biggest fix among them is to the customizer changesets, widgets, visual editor, and PHP 7.2 compatibility. Check out the full update and official release notes here.
 
WordPress 4.9.2 — Security & Maintenance
WordPress 4.9.2 is another security release for "all previous versions" of the platform, according to the official release statement. Users are urged to update their sites immediately. The WordPress security team discovered that WordPress 4.9 and earlier versions are affected by four different security issues, all of which are patched in this release.
 
Those vulnerabilities include:
  • Fixed a XSS vulnerability in the Flash fallback in MediaElement 4.x, a library that is included with WordPress 4.9
This update includes a complete breakdown of the above issues. If you'd like more information on the security vulnerabilities patched above, read the official patch announcement here, or the release notes in the WordPress Codex here.
 
WordPress 4.9.1 — Security & Maintenance
WordPress 4.9.1 is another security release for "all previous versions" of the platform, according to the official release statement. Users are urged to update their sites immediately. The WordPress security team discovered that WordPress 4.9 and earlier versions are affected by four different security issues, all of which are patched in this release.
 
Those vulnerabilities include:
  • Use a properly generated hash for the newbloguser key instead of a determinate substring.
  • Add escaping to the language attributes used on html elements.
  • Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
  • Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.
This update includes a complete breakdown of the above issues. If you'd like more information on the security vulnerabilities patched above, read the official patch announcement here, or the release notes in the WordPress Codex here.
 
WordPress 4.9 — Features Update
WordPress 4.8 is a features update named after jazz musician Billy Tipton. It is available now for use on your site. Fully loaded, version 4.9 brings improvements to the customizer workflow, collaborating with design preview links, design locking to guard your changes, prompts to protect your work and many more coding improvements.
 
Additionally, version 4.9 adds the ability to see nearby WordPress events  WordPress 4.9 is full of goodies for developers and content creators alike. Check out the full update and official release notes here.
 
WordPress 4.8.3 — Security Update
WordPress 4.8.3 is another security release for "all previous versions" of the platform, according to the official release statement. Users are urged to update their sites immediately. The WordPress security team discovered that WordPress 4.8.2 and earlier versions are affected by six different security issues, all of which are patched in this release.
 
Those vulnerabilities include:
  •  $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability
This update includes a complete breakdown of the above issues. If you'd like more information on the security vulnerabilities patched above, read the official patch announcement here, or the release notes in the WordPress Codex here.
 
WordPress 4.8.2 — Security Update
WordPress 4.8.2 is another security release for "all previous versions" of the platform, according to the official release statement. Users are urged to update their sites immediately. The WordPress security team discovered that WordPress 4.8.1 and earlier versions are affected by six different security issues, all of which are patched in this release.
 
Those vulnerabilities include:
  • $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability
  • A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery
  • A cross-site scripting (XSS) vulnerability was discovered in the visual editor
  • A path traversal vulnerability was discovered in the file unzipping code
  • A cross-site scripting (XSS) vulnerability was discovered in the plugin editor
  • An open redirect was discovered on the user and term edit screens
  • A path traversal vulnerability was discovered in the customizer
  • A cross-site scripting (XSS) vulnerability was discovered in template names
  • A cross-site scripting (XSS) vulnerability was discovered in the link modal
This update includes a complete breakdown of the above issues. If you'd like more information on the security vulnerabilities patched above, read the official patch announcement here, or the release notes in the WordPress Codex here.
 
WordPress 4.8.1 — Maintenance and Enhancments
WordPress 4.8.1 is a standard maintenance release which contains 29 maintenance fixes and enhancements to the WordPress 4.8 series of releases the biggest fix among them is to the rich text widget and the introduction to the HTML widget. Check out the full update and official release notes here.
 
WordPress 4.8 — Features Update
WordPress 4.8 is a features update named after jazz pianist and composer William John “Bill” Evans. It is available now for use on your site. Fully loaded, version 4.8 brings the new image widget, video widget, audio widget, and the rich text widget
 
Additionally, version 4.8 adds the ability to see nearby WordPress events  WordPress 4.8 is full of goodies for developers and content creators alike. Check out the full update and official release notes here.
 
WordPress 4.7.7 — Security Update
WordPress 4.7.7 is another security release for "all previous versions" of the platform, according to the official release statement. Users are urged to update their sites immediately. The WordPress security team discovered that WordPress 4.8.2 and earlier versions are affected by six different security issues, all of which are patched in this release.
 
Those vulnerabilities include:
  •  $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability
This update includes a complete breakdown of the above issues. If you'd like more information on the security vulnerabilities patched above, read the official patch announcement here, or the release notes in the WordPress Codex here.
 
WordPress 4.7.6 — Security Update
WordPress 4.7.6 is another security release for "all previous versions" of the platform, according to the official release statement. Users are urged to update their sites immediately. The WordPress security team discovered that WordPress 4.8.1 and earlier versions are affected by six different security issues, all of which are patched in this release.
 
Those vulnerabilities include:
  • $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability
  • A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery
  • A cross-site scripting (XSS) vulnerability was discovered in the visual editor
  • A path traversal vulnerability was discovered in the file unzipping code
  • A cross-site scripting (XSS) vulnerability was discovered in the plugin editor
  • An open redirect was discovered on the user and term edit screens
  • A path traversal vulnerability was discovered in the customizer
  • A cross-site scripting (XSS) vulnerability was discovered in template names
  • A cross-site scripting (XSS) vulnerability was discovered in the link modal
This update includes a complete breakdown of the above issues. If you'd like more information on the security vulnerabilities patched above, read the official patch announcement here, or the release notes in the WordPress Codex here.
 
WordPress 4.7.5 — Security Update
WordPress 4.7.5 is another security release for "all previous versions" of the platform, according to the official release statement. Users are urged to update their sites immediately. The WordPress security team discovered that WordPress 4.7.4 and earlier versions are affected by six different security issues, all of which are patched in this release.
 
Those vulnerabilities include:
  • Insufficient redirect validation in the HTTP class
  • Improper handling of post meta data values in the XML-RPC API
  • Lack of capability checks for post meta data in the XML-RPC API
  • A Cross Site Request Forgery (CSRF)  vulnerability was discovered in the filesystem credentials dialog
  • A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files
  • A cross-site scripting (XSS) vulnerability was discovered related to the Customizer
This update includes a complete breakdown of the above issues. If you'd like more information on the security vulnerabilities patched above, read the official patch announcement here, or the release notes in the WordPress Codex here.
 
WordPress 4.7.4 — Bug Update
WordPress 4.7.4 is a bug update to fix 47 known bugs in WordPress from WordPress 4.7.3 including the incompatibility with an upcoming release of Google Chrome. Additionally, what is being corrected are inconsistencies with media handling and further improvements to the REST API. The full release notes can be found at the WordPress codex here
 
WordPress 4.7.3 — Security Update
WordPress 4.7.3 is another security release for "all previous versions" of the platform, according to the official release statement. Users are urged to update their sites immediately. The WordPress security team discovered that WordPress 4.7.2 and earlier versions are affected by six different security issues, all of which are patched in this release.
 
Those vulnerabilities include:
  • Cross-site scripting (XSS) via media file metadata.
  • Control characters can trick redirect URL validation.
  • Unintended files can be deleted by administrators using the plugin deletion functionality.
  • Cross-site scripting (XSS) via video URL in YouTube embeds.
  • Cross-site scripting (XSS) via taxonomy term names.
  • Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.
This update includes a complete breakdown of the above issues. If you'd like more information on the security vulnerabilities patched above, read the official patch announcement here, or the release notes in the WordPress Codex here.
 
WordPress 4.7.2 — Security Update
WordPress 4.7.2 is a security release for "all previous versions" of the platform, according to the official release statement. Users are urged to update their sites immediately. This patch includes a fix with the user interface involving assigning taxonomy terms, an issue where WP_Query is vulnerable to a possible SQL injection attack, and a cross-site scripting vulnerability that was discovered in the posts list table by the WordPress Security Team. For more information on this security update, read the official security release notes here.
 
WordPress 4.7.1 — Security and Maintenance Update
WordPress 4.7.1 is a security and maintenance release that addresses eight various security issues. The identified issues are believed to impact WordPress 4.7 and all earlier versions of the platform. These security vulnerabilities include: remote code execution in PHPMailer, an issue with the REST API where user data could be exposed in certain situations, a cross-site request forgery issue, a cross-site scripting issue with update-core.php, and others. More information can be found in the official release notes here.
 
WordPress 4.7 — Features Update
WordPress 4.7 is a features update named after jazz vocalist Sarah "Sassy" Vaughan. It is available now for use on your site. Fully loaded, version 4.7 brings a new Twenty Seventeen theme, and more starter content and editing options, including: editing shortcuts, video headers, smoother menu building, custom CSS (instantly see how it affects your site), PDF thumbnail previews (a welcome addition for content marketers), more dashboard language options, and more.
 
Additionally, version 4.7 adds more tools to the REST API box. Now, content endpoints are available for posts, comments, terms, users, meta, and settings. WordPress 4.7 is full of goodies for developers and content creators alike. Check out the full update and official release notes here.
 
WordPress 4.6.1 — Security Update
WordPress 4.6.1 is a security update recommended for all previous versions of the WordPress CMS platform. Identified and addressed are two security issues: one involving a cross-site scripting vulnerability (XSS vulnerability) through the image filename, and the second is described as "a path traversal vulnerability in the upgrade package uploader" by the WordPress Security Team. This update also address 15 bugs in the 4.6.x series. For more information, read the official release notes here.
 
WordPress 4.6 — Features Update
WordPress 4.6, once again, maintains the popular CMS's habit of naming features releases after jazz performers. Named "Pepper" after baritone saxophonist Park Frederick "Pepper" Adams III, version 4.6 offers several new features to WordPress, including, streamlined updates, native fonts, and several editor improvements such as a new inline link checker and browser-based content recovery.
 
Multiple performance enhancements were made to the code under the hood, as well. Please note, this is a features release only: there are no security updates in this version of WordPress. For more information, read the official release notes here.
 
WordPress 4.5.3 — Security Update
WordPress 4.5.3 is a security release for WordPress versions 4.5.2 and earlier. There are actually quite a few vulnerabilities included in this patch that have been closed; we recommend users update immediately to close this entire security release. Those issue patched include: redirect bypass in the customizer, two different cross-site-scripting vulnerabilities, improper history information disclosure, oEmbed denial of service, unauthorized category removal, and a lesser issue with the sanitize_file_name system. This update also address 17 bugs in the WordPress 4.5.x series. For more information, read the official release notes here.
 
WordPress 4.5.2 — Security Update
WordPress 4.5.2 is a security release for all previous versions of the CMS. According to the WordPress Security Team, "WordPress versions 4.5.1 and earlier are affected by SOME [their emphasis] vulnerability through Plupload, the third-party library WordPress uses for uploading files." Additionally, vulnerabilities with XSS through the MediaElement.js library have been identified. These issues have been fixed by the third-party groups on their end, and users are encouraged to update their WordPress sites to version 4.5.2 to fully close them. For more information, read the official release notes here.
 
WordPress 4.5.1 — Maintenance Update
WordPress 4.5.1 is a maintenance release to WP 4.5 "Coleman." This releases fixes 12 bugs in version 4.5 that have been identified by the WordPress community. According to the release team, "chief among them a singular class issue that broke sites based on the Twenty Eleven theme, an incompatibility between certain Chrome versions and the visual editor, and an Imagick bug that could break media uploads." For more information, read the official release notes here.
 
WordPress 4.5 — Features Update
WordPress 4.5 continues the tradition of naming updates after jazz musicians. Dubbed "Coleman" in honor of jazz saxophonist Coleman Hawkins, WordPress 4.5 has several new feature updates, including: inline linking to allow for "a less distracting interface," improved formatting shortcuts, custom logo capabilities out of the box for branding, smart image resizing, selective refresh framework optimizations, updates to the JavaScript Library, and better embed templates.
 
For marketers, advertisers, and front-end developers, however, the most important new feature is live responsive previews. Yes, you can now simply switch between previews of your WordPress site to see what it will look like on desktop, tablet, and mobile — all with just the click of a button.
 
This is a great new feature added to core, and we're happy to see its inclusion in this roll-out of the 4.5 series build. For more information on WordPress 4.5, read the official release announcement here.
 
WordPress 4.4.2 — Security Update
The recent 4.4.2 update addresses two security issues found in the 4.4.x series that were uncovered after the release of WordPress version 4.4.1. The WordPress security team said, "WordPress versions 4.4.1 and earlier are affected by two security issues: a possible SSRF for certain local URIs ... and an open redirection attack." In addition to those issues, version 4.4.2 also fixes 17 bugs found in the 4.4.x series. For more information, read the official release notes here.
 
WordPress 4.4.1 — Security Update
WordPress version 4.4.1 addresses a serious security release for previous versions of WordPress. This cross-site scripting vulnerability could allow a malicious attacker to hijack a site. The WordPress Security Team is recommending everyone update to the most current version immediately. The update also fixes 52 bugs from the 4.4.x series. For more information, read our detailed News Item update here.
 
WordPress 4.4 — Features Update
WordPress version 4.4 is a features update codenamed "Clifford," named after jazz trumpet player Clifford Brown. WordPress characterizes 4.4 as making your WordPress site "more connected and responsive." It includes a new default theme called "Twenty Sixteen," which is "built to look great on any device." One of the best new features is that blog images are now dynamically responsive and automagically adjust for screen size. A new REST API is now integrated into core, which should give developers ample new tools to play with. For more information, read the official release notes here.
 
WordPress 4.3.1 — Security Update
WordPress version 4.3.1 is a security release for all previous versions of WordPress. This version contains multiple security updates including fixes for two cross-site scripting vulnerabilities, as well as a potential privilege escalation issue. In addition, the WordPress team reports that version 4.3.1 "also fixes twenty-six bugs." For more information, read the official release notes here.
 
WordPress 4.3 — Features Update
WordPress version 4.3 is named "Billie" in honor of jazz singer Billie Holiday. This features update includes new menus in the customizer, formatting shortcuts, site icons (a great new, little feature), better passwords, a smoother admin experience, comments turned off on pages, and more front-end features to customize your site quickly. For more information on the 4.3 update, read the official release post here.
 
WordPress 4.2.4 — Security Update
WordPress version 4.2.4 fixes several cross-site scripting vulnerabilities, as well as a possible SQL injection vulnerability "that could compromise a site." This security update comes closely after the 4.2.3 security update that also closed a different cross-site scripting vulnerability (see below). For more information on the 4.2.4 security release, read here.
 
WordPress 4.2.3 — Security Update
WordPress version 4.2.3 is a security release for all previous versions of the platform. According to the WordPress security team, this update fixes "a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. Additionally, 20 bugs from 4.2 are addressed in this update. For more information, read the official release notes here.
 
WordPress 4.2.2 — Security Update
WordPress version 4.2.2 is a "critical security release" for all previous versions of WordPress. It is strongly recommended that users update their WordPress sites as soon as possible. The 4.2.2 security release addresses two main issues: an HTML file vulnerable to cross-site scripting attack; and another cross-site scripting vulnerability "which could enable anonymous users to compromise a site." For more information, read the official release notes here.
 
WordPress 4.2.1 — Security Update
WordPress version 4.2.1 is a "critical security release" for all previous versions of WordPress. Both the Managed.com Team, and the WordPress Security Team, strongly encourage users to update your sites immediately. This update addresses a cross-site scripting vulnerability, wherein the issue could be exploited to "enable commenters to compromise a site." WordPress classified this update as such a security concern, that it began "to roll out as an automatic background update." For more information, read the official release notes here.
 
WordPress 4.2 — Features Update
WordPress version 4.2 is a point-update release with several new features for veterans and new users of WordPress alike. Some updates include improved native character support (including Chinese, Japanese, and Korean characters), the ability to preview installed themes, more APIs for approved embeds (Kickstarter and Tumblr), streamlined plugin updates, and more. For more information, read the official 4.2 "Powell" update release notes here.
 
WordPress 4.1.2 — Security Update
WordPress version 4.1.2 is a "critical security release" for all previous versions of WordPress. This update addresses multiple security issues, including: instances where files with invalid names could be uploaded, a cross-site scripting vulnerability, and instances where several plugins were vulnerable to SQL injection attacks. We recommend you update your site immediately to mitigate any issues with these vulnerabilities. For more information, read the official 4.1.2 security release notes here.
 
WordPress 4.1.1 — Maintenance Update
WordPress version 4.1.1 is a maintenance release that addresses several minor fixes. As the WordPress team said in the release statement, "WordPress 4.1 was a smooth-sailing release," so don't expect any major features or updates in this release. The 4.1.1 update fixes 21 bugs in version 4.1. For more information, read the official 4.1.1 release notes here.
 
WordPress 4.1 — Features Update
WordPress version 4.1 is a features update with a renewed focus on writing. WordPress has added a distraction-free writing mode to encourage more people to actually write their content within the application. A new responsive theme has been added that is built to make reading blogs easier, and several tweaks and additions under the hood should be welcome to the WordPress novice and veteran alike. For more information, read our detailed News item on this update here.
 
WordPress 4.0.1 — Security Update
The WordPress Security Team addressed multiple vulnerabilities in the 4.0.1 update. This release closes a critical vulnerability found in versions 3.9.2 and earlier that would allow an attacker to inject malicious JavaScript into a comment, thereby an anonymous user could compromise a site. There are several other vulnerabilities addressed, including three cross-site scripting issues, cross-site request forgeries, and 23 additional bugs. For more information, read our detailed News Item on this update here.
 
WordPress 4.0 — Features Update
WordPress version 4.0 includes all of the recent security updates for the WordPress platform (see below), as well as several new enhancements. This full-point release includes: enhanced toolbars, intuitive editing, seamless media embeds, new plugin browser, updates to the media manager, a media library grid, and more. For more information, read our detailed News Item on this update here.
 
WordPress 3.9.2 — Security Update 
WordPress version 3.9.2 is an update that addresses a "major security vulnerability" which takes use of an "XML Quadratic Blowup Attack." The WordPress and Drupal security teams worked in tandem on a fix, as the vulnerability affected both platforms. We recommend users update to WordPress 3.9.2 immediately to mitigate potential attacks that make use of this vulnerability. Read our detailed News Item on this update here

WordPress 3.9.1 — Maintenance Update 
WordPress version 3.9.1 is a maintenance update that addresses several bug fixes discovered in the 3.9 "Smith" edition. These are all minor bugs. There are no security issues in this update. You can read the WordPress 3.9.1 release announcement here. And if you're the type who likes to dive into the details, the list of solved tickets are here, and the changelog is here

WordPress 3.9 — Security Update 
WordPress version 3.9, named "Smith" in honor of jazz organist Jimmy Smith, includes many new enhancements for the CMS, including: drag and drop images, improved image editing, live preview of photo galleries, new audio / video features, and several improvements for developers and plugin authors. Full details on WordPress 3.9 can be found here.

WordPress 3.8.3 — Security Update
WordPress version 3.8 has released right on the tail of 3.7. WordPress version 3.8, named "Parker" in honor of jazz and bebop saxophonist / composer Charles "Charlie" Parker, Jr. Version 3.8 includes several design changed, in what WordPress calls, "the most beautiful update yet." Key features include: a new look to the admin dashboard, Open Sans typefaces, vector-based icons, refined theme management, and improved usability across mobile devices. Full details on WordPress 3.8 can be found here.
 
WordPress 3.8.2 — Security Update
Version 3.8.2 is a security update for all previous versions of WordPress. From the WordPress Security Team: "This release fixes a weakness that could let an attacker force their way into your site by forging authentication cookies." Read the full release information here.
 
WordPress 3.8.1 — Maintenance Update
Version 3.8.1 of WordPress was released only six weeks after WordPress 3.8. The update is a maintenance release only, addressing minor bug fixes, dashboard UI issues, and a fix for embedding tweets that was broken due to a Twitter API change. Full details on WordPress 3.8.1 can be found here
 
WordPress 3.7.1 — Security Update 
WordPress has released version 3.7, named "Basie" in honor of Jazz icon Count Basie. Version 3.7 includes what WordPress calls, "some of the most important architectural updates we've made to date." Key features include: updates while you sleep, stronger password recommendations, better global support, and more than 400 closed tickets. Maintenance update 3.7.1 includes minor bug fixes for stability. Full details on WordPress 3.7 can be found here, and information on the 3.7.1 maintenance release can be found here.
 
WordPress 3.6.1 
WordPress has released version 3.6.1, which is a maintenance release fixing 13 known bugs in WordPress 3.6. It is also a security release for all previous versions of WordPress. It blocks unsafe PHP unserialization that could occur in some situations, and corrects an insufficient input validation that could result in an unintended website redirect. Full details on WordPress 3.6.1 can be found here.

WordPress 3.5.2 — Security Update 
Wordpress has issued two minor releases since the official launch of version 3.5.  Both of these (3.5.1 and 3.5.2) contained important security patches.  If you are on version 3.5 or above, 3.5.2 is the only secure version.

WordPress 3.4.1
WordPress has made it clear that only version 3.4.1 is secure. WordPress only maintains 3.4.1.

WordPress 3.4 and Under — Insecure 
These versions have many known security vulnerabilities and bugs. For your website’s security and function, please upgrade immediately.
 

Don't See Your Version Here? You Need To Upgrade
If you do not see your version of WordPress here, you should upgrade immediately for the latest security and performance benefits. Certain older versions of WordPress may contain critical security vulnerabilities.

Add Feedback