WordPress version 4.5.2 is now available. This is a security release for all previous versions and users are encouraged to update immediately to avoid any unpleasant surprises.
WordPress versions 4.5.1 and earlier are affected by a SOME (Same-Origin Method Execution) through Plupload. SOME exploits allow attackers to perform unintended actions on a website on behalf of victims. The more critical issue is the XSS (cross-site scripting). WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues.
Both issues were analyzed and reported by Mario Heiderich, Masato Kinugawa, and Filedescriptor from Cure53. WordPress.org thanked the team for practicing responsible disclosure, and to the Plupload and MediaElement.js teams for working closely with them to coordinate and fix these issues.
Download WordPress 4.5.2 or venture over to Dashboard > Updates and simply click Update Now. Sites that support automatic background updates are already beginning to update to WordPress version 4.5.2. Users that ignore WordPress security patches are bound to face problems at a point in their future. Because WordPress powers almost a quarter of the known Internet, hackers often seek out vulnerable sites to hack.
Additionally, there are multiple widely publicized vulnerabilities in the ImageMagick image processing library, which is used by a number of hosts and is supported in WordPress. For current response to these issues, see this post on the core development blog.
This security release has also been made available for previous WordPress versions from 4.4 to 3.7. For instance, WordPress version 3.7 received a security release of 3.7.14 that functions the same way as version 4.5.2, 3.8 received 3.8.14 and so on. Click here to look at the chronology of WordPress versions and their releases.