WordPress 4.5.3 was released today to fix seven important security issues that affect 4.5.2 and prior versions. Automatic background updates are already rolling out and all users are advised to update immediately. The release patches the following security issues:
- Redirect bypass in the customizer (reported by Yassine Aboukir)
- Two different XSS problems via attachment names (reported by Jouko Pynnönen and Divyesh Prajapati)
- Revision history information disclosure (reported independently by John Blackbourn from the WordPress security team and by Dan Moen)
- oEmbed denial of service (reported by Jennifer Dodd from Automattic)
- Unauthorized category removal from a post (reported by David Herrera from Alley Interactive)
- Password change via stolen cookie (reported by Michael Adams from the WordPress security team)
- Some less secure sanitize_file_name edge cases (reported by Peter Westwood of the WordPress security team)
A host of different companies and independent volunteers worked together to responsibly disclose and fix these issues to make WordPress more secure. The release also fixes 17 bugs from 4.5, 4.5.1 and 4.5.2. Rolling them all into one security and maintenance release means fewer updates for users. Check out the release notes and closed tickets for a full list of fixes included in 4.5.3.
Thanks to all reporters