WordPress 4.7.5 released earlier today. WordPress 4.7.5 is a security release for all the previous versions of WordPress and since it patches some important security issues, WordPress recommends that you update your websites immediately. If your site has automatic updates enabled, you must have received emails with automatic update notices early morning.
Thanks to the responsible disclosure to the WordPress security team, the following vulnerabilities that affected WordPress versions 4.7.4 and earlier were patched:
- Insufficient redirect validation in the HTTP class. Reported by Ronni Skansing.
- Improper handling of post meta data values in the XML-RPC API. Reported by Sam Thomas.
- Lack of capability checks for post meta data in the XML-RPC API. Reported by Ben Bidner of the WordPress Security Team.
- A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog. Reported by Yorick Koster.
- A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Reported by Ronni Skansing.
- A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Reported by Weston Ruter of the WordPress Security Team.
Most of the reports came from security researchers on HackerOne. According to WPTavern, “If WordPress continues to sustain the same volume of reports on its new HackerOne account, users may see more frequent security releases in the future.”
Security releases are important as they keep your websites safe from outside threats. Please make sure you update you websites immediately.
Additionally, WordPress 4.7.5 also contains a few maintenance fixes on REST API, Taxonomy, Build/Test Tools and Administration. You can check out the release notes or consult the list of changes for more information.
To update, you can download WordPress 4.7.5 or just go to your WordPress Dashboard → Updates and simply click “Update Now.” If your website is running a version of WordPress older than 3.7, it will require a manual update.