WordPress 4.5.3 Fixes Security Issues

Posted Wednesday June 22nd, 2016

WordPress 4.5.3 was released today. The update fixes 7 WordPress security issues that affected 4.5.2 and older versions. We highly recommend that all users update immediately.

Security Issues Fixed by the Update

Redirect bypass in the customizer – reported by Yassine Aboukir
Two different XSS problems via attachment names – reported by Jouko Pynnönen and Divyesh Prajapati
Revision history information disclosure – reported independently by John Blackbourn from the WordPress security team and by Dan Moen
oEmbed denial of service – reported by Jennifer Dodd from Automattic
Unauthorized category removal from a post – reported by David Herrera from Alley Interactive
Password change via stolen cookie – reported by Michael Adams from the WordPress security team
Some less secure sanitize_file_name edge cases – reported by Peter Westwood from the WordPress security team.

Credit goes to the above contributors and a host of other companies and volunteers for practicing responsible disclosure.

Security and Maintenance Updates

Aside from the above, WordPress 4.5.3 also fixes 17 other bugs from 4.5, 4.51, and 4.5.2. Packaging them together into one WordPress security and maintenance update.

You can take a look at a full list of fixes included in 4.5.3 in the release notes and the closed tickets.

Tags: News, security, Updates, WordPress 4.5.3

Mark

It's in his name, so it's no surprise he delved deeply into marketing. He loves WordPress and entrepreneurship, currently developing an online interactive map for outdoors exploration through WordPress.