On June 18th, WordPress made available a security release for all previous versions. The WordPress 4.5.3 fixes major security and maintenance issues that affected WordPress versions 4.5.2 and earlier. There are automatic background updates already rolling and WordPress.org advises all users to update their sites immediately.
Here are the several security issues this update takes care of:
- Redirect bypass in the customizer (reported by Yassine Aboukir)
- Two different XSS problems via attachment names, (reported by Jouko Pynnönen and Divyesh Prajapati)
- Revision history information disclosure (reported independently byJohn Blackbourn from the WordPress security team and by Dan Moen)
- oEmbed denial of service (reported by Jennifer Dodd from Automattic)
- Unauthorized category removal from a post (reported by David Herrera from Alley Interactive)
- Password change via stolen cookie (reported byMichael Adams from the WordPress security team)
- Some less securesanitize_file_name edge cases (reported by Peter Westwood of the WordPress security team).
Along with the above security issues, WordPress 4.5.3 also fixes 17 bugs from 4.5, 4.5.1 and 4.5.2. This is great as it means a lesser number of updates for users as all is incorporated into one update.
Independent volunteers and different companies came together for the responsible disclosure of the issues and helped fix the issues for a more secure WordPress. You can see the release notes or look at the list of changes if you wish to seek more information. And as of now, update your sites straightaway. Download WordPress 4.5.3 or venture over to Dashboard → Updates and simply click “Update Now.