WordPress 4.4.2, a security update for all versions, is now available for download. WordPress is recommending that everyone update their sites immediately.
Two security issues were found in WordPress 4.4.1 and earlier, including possible SSRF for certain local URIs, and an open redirection attack.
Since these types of things fall outside my level of technical expertise, I did a bit of research to find out what they are and what kind of harm they can do.
SSRF stands for ‘server side request forgery’ and can be deployed by attackers to bypass access controls, such as firewalls, and ultimately crash your system.
An open redirect is a bit more straight forward. It would take a trusted site and redirect visitors to an untrusted site, with the goal to get visitors to land on phishing sites or any other type of malicious site.
While fixing the two major security issues, WordPress 4.4.2 also fixes 17 bugs found in the previous version.
WordPress 4.4.2 can be downloaded directly from the dashboard, or may already be downloaded if your site supports automatic updates.