WordPress 4.2.1 Security Release
In WordPress 4.2 and laterÂ which allows an anonymous commentator fully capture site. WordPressÂ Release 4.2.1Â whichÂ fixes this vulnerability.
According to the author of klikki.fiÂ this vulnerability, in the table, the default comment field type TEXT, which can store only 64 kilobytes of data. When you publish a longer comment, MySQL just cuts off the remainder and have the derivation of a comment on a page in WordPress, output only the first 65,000 characters.
The update is available for all branches, supports automatic background updates (from 4.2 to 3.7). If your site is not updated automatically, we recommend that you do it yourself as soon as possible.
After the upgrade, you can scan the database – perhaps someone has already left your site similar comment. You can do this by using the following SQL query:
SELECT comment_ID FROM wp_comments WHERE LENGTH (comment_content)> = 65535;
It will show you the IDs of comments, the length of which more than 64 KB. After reviewing the contents, you can understand what the commentator/attacker tried to do on your site, and the comment_author_IP will give you the IP address. Note thatÂ when a database is upgraded, these comments are removed so that the query must be performed before the database update phase.