WordPress 4.5.2 Patches Two Security Vulnerabilities

The WordPress core team has released WordPress 4.5.2 which patches two security vulnerabilities in WordPress versions 4.5.1 and below. The first is a SOME vulnerability (Same-Origin Method Execution) in Plupload, the third-party library WordPress uses for uploading files. The second is a reflected cross-site-scripting vulnerability in MediaElement.js, the third-party library used for media players.

Auto updates are rolling out to sites but if you don’t want to wait, browse to Dashboard > Updates and click the Update Now button. Mario Heiderich, Masato Kinugawa, and Filedescriptor of Cure53 are credited with responsibly disclosing the vulnerabilities.

In addition to the release, the core team has published a post concerning the multiple vulnerabilities discovered in ImageMagick, a popular image processing script used on thousands of webhosting servers. The post describes how WordPress is affected and what the team is doing to mitigate issues.

12 Comments


  1. Out of Curiosity…how come those security vulnerabilities were not found on 4.5 or 4.5.1?

    Report


    1. I don’t have the answer to this but it’s possible that due to the timeline of events from the initial report to creating a patch and working with the Plupload and MediaElement teams, that it ended up in 4.5.2.

      Report


    1. “WordPress versions 4.2 through 4.5.1 are vulnerable”

      Report


      1. Only one of the vulnerabilities is limited to 4.2. The other goes back even further, hence Jeff’s comment. I’ve seen updates released for versions as old as 3.7.

        Report


  2. Excellent job! Updated all my clients sites automatically. Piece of mind ☺️

    Report


  3. My biggest hassle is trying to understand and utilize files. I have learned a lot of code and can now see the advantages of building a website by adding content via code instead of visual. But I doubt if I will ever get past understanding about files and how to store them and to retrieve them. I have went through Updraft and had to uninstall because they could not give me a clear explanation enough for me to understand. I have been looking at other backup plugins and they are all the same – supposed to be easy – but they are not as far as I am concerned.
    So these WordPress updates are haunting to me! I have worked too hard to just lose an entire website. It is a no win situation for me, so just be glad that all of you can at least understand how to backup and restore a site, because it is hopeless for me. I cannot get any help that is understandable and I cannot afford to pay for assistance, so I just give up.
    After a while WordPress just automatically updates my site, I am sure one day I will try to log in and have a blank page instead of a site. My hosting is of no help in this area either. Of all the advancement of WordPress, they sure can make some of these functions that you would think would be simple – extremely difficult!

    Report


    1. Hi

      Turn on debug mode in the wp-config and checkout the error message. Most likely a old plugin or old theme core code causing it or a memory exhaust issue. Any of these are Easy to fix. You can contact me if you need help. Add your email address or skype id and i will contact you.

      Report


      1. Thank you for your time and response . I will see if I can figure this out what you said to do.

        Steve

        Report


  4. Can anybody explain how the media elements leak works and was fixed? I see only one small code change in the script in wordpress. they removed from ‘?x=’+(new date…. the x= so now its ‘?’+new date

    Was that causing the issue? It makes me wonder.

    btw WP is still using a old version of the m.e. script (2.18.x)

    Report

Comments are closed.