Update 4/30 12:00pm Central: We have concluded our investigations and will be resuming the upgrades for our platform, all customers should be upgraded appropriately in the next 24 hours.
Update: As new information about the vulnerability surfaced on Social Media, we have paused the WordPress update to continue investigation. We have made additional platform changes that ensure your sites are not at risk. We will resume upgrades once we have a full understanding of the issue and clear path forward.
WordPress has just released a security update for the current stable branch of WordPress, which fixes a recently discovered vulnerability that introduces a critical cross-site scripting (XSS) issue. While WP Engine already blocked this issue from affecting customer sites, the WordPress update cleans up any affected comments that may have happened before the issue was identified. Further details are available in the following blog post on WordPress.org.
Fortunately, as a WP Engine customer, you’re covered–you don’t have to take any action at this time. Our technical team is already hard at work auto-updating all sites hosted with WP Engine to WordPress 4.1.4. We will also follow our regular 4.2 upgrade plan as outlined here, and replace 4.2 with the newly patched version 4.2.1.
Please keep in mind that this security update only fixes a specific security vulnerability. It should not impact any custom code in your plugins or themes.
As always, thank you for choosing WP Engine!