WordPress 4.5.3 Fixes 7 Security Issues

photo credit: Lock - (license)
photo credit: Lock(license)

WordPress 4.5.3 was released today to fix seven important security issues that affect 4.5.2 and prior versions. Automatic background updates are already rolling out and all users are advised to update immediately. The release patches the following security issues:

  • Redirect bypass in the customizer (reported by Yassine Aboukir)
  • Two different XSS problems via attachment names (reported by Jouko Pynnönen and Divyesh Prajapati)
  • Revision history information disclosure (reported independently by John Blackbourn from the WordPress security team and by Dan Moen)
  • oEmbed denial of service (reported by Jennifer Dodd from Automattic)
  • Unauthorized category removal from a post (reported by David Herrera from Alley Interactive)
  • Password change via stolen cookie (reported by Michael Adams from the WordPress security team)
  • Some less secure sanitize_file_name edge cases (reported by Peter Westwood of the WordPress security team)

A host of different companies and independent volunteers worked together to responsibly disclose and fix these issues to make WordPress more secure. The release also fixes 17 bugs from 4.5, 4.5.1 and 4.5.2. Rolling them all into one security and maintenance release means fewer updates for users. Check out the release notes and closed tickets for a full list of fixes included in 4.5.3.

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let's discuss your ideas.

4 Comments


  1. … aaaand WPTavern still doesn’t show up in dashboard news. Was waiting for an update to be sure, since these announcements from here are always there.

    Report


      1. A fix like that doesn’t take weeks.

        Something else is up is my guess.

        Matt pulling the plug on WP Tavern? Maybe too much controversy (aka keeping it real) for him?

        Report

Comments are closed.