WordPress 4.5.3 was released today. The update fixes 7 WordPress security issues that affected 4.5.2 and older versions. We highly recommend that all users update immediately.
Security Issues Fixed by the Update
- Redirect bypass in the customizer – reported by Yassine Aboukir
- Two different XSS problems via attachment names – reported by Jouko Pynnönen and Divyesh Prajapati
- Revision history information disclosure – reported independently by John Blackbourn from the WordPress security team and by Dan Moen
- oEmbed denial of service – reported by Jennifer Dodd from Automattic
- Unauthorized category removal from a post – reported by David Herrera from Alley Interactive
- Password change via stolen cookie – reported by Michael Adams from the WordPress security team
- Some less secure sanitize_file_name edge cases – reported by Peter Westwood from the WordPress security team.
Credit goes to the above contributors and a host of other companies and volunteers for practicing responsible disclosure.
Security and Maintenance Updates
Aside from the above, WordPress 4.5.3 also fixes 17 other bugs from 4.5, 4.51, and 4.5.2. Packaging them together into one WordPress security and maintenance update.
You can take a look at a full list of fixes included in 4.5.3 in the release notes and the closed tickets.