WordPress version 4.9.3 was released last week with patches for a total 34 vulnerabilities, but unfortunately, the new version broke the automatic update mechanism for millions of WordPress websites.
The WordPress team has now issued a new maintenance update, WordPress 4.9.4, to patch this severe bug, which WordPress admins have to install manually.
According to security site WordFence, when WordPress CMS tries to determine whether the site needs to install an updated version, if available, a PHP error interrupts the auto-update process.
If not updated manually to the latest 4.9.4 version, the bug would leave your website on WordPress 4.9.3 forever, leaving it vulnerable to future security issues.
Here’s what WordPress lead developer Dion Hulse explained about the bug:
“#43103-core aimed to reduce the number of API calls which get made when the auto-update cron task is run. Unfortunately, due to human error, the final commit didn’t have the intended effect and instead triggers a fatal error as not all of the dependencies of find_core_auto_update() are met. For whatever reason, the fatal error was not discovered before 4.9.3’s release—it was a few hours after release when discovered.”
The issue has since been fixed, but as reported, the fix will not be installed automatically.
If you need any help with regards to this security issue, please do not hesitate to contact our support team.