WordPress 4.7.3 is now available with patches for six security vulnerabilities that affect version 4.7.2 and all previous versions. WordPress.org is strongly encouraging users to update their sites immediately.
The release includes fixes for three XSS vulnerabilities that affect media file metadata, video URLs in YouTube embeds, and taxonomy term names. It also includes patches for three other security issues:
- Control characters can trick redirect URL validation
- Unintended files can be deleted by administrators using the plugin deletion functionality
- Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources
These vulnerabilities were responsibly disclosed by a variety of different sources contributing to WordPress security.
Version 4.7.3 is also a maintenance release with fixes for 39 issues. This includes a fix for an annoying bug that popped up after 4.7.1 where certain non-image files failed to upload, giving an error message that said: “Sorry, this file type is not permitted for security reasons.” Those who were negatively impacted have been waiting on this fix for two months.
WordPress sites that haven’t been updated have been subject to a rash of exploits during the last month after a WP REST API vulnerability was disclosed. Now that the patched vulnerabilities in 4.7.3 are public, it is only a matter of time before hackers begin exploiting sites that do not update. If you have auto-updates on, your site has probably already updated by now. If for some reason you have auto-updates disabled, you will want to manually update as soon as possible.