Posts

WordPress 4.5.3 security update

From the WordPress 4.5.3 release notes, WordPress versions 4.5.2 and earlier are affected by several security issues:

  • Redirect bypass in the customizer, reported by Yassine Aboukir
  • Two different XSS problems via attachment names, reported by Jouko Pynnönen and Divyesh Prajapati.
  • Revision history information disclosure, reported independently by John Blackbourn from the WordPress security team and by Dan Moen
  • oEmbed denial of service reported by Jennifer Dodd from Automattic
  • Unauthorized category removal from a post, reported by David Herrera from Alley Interactive
  • Password change via stolen cookie, reported by Michael Adams from the WordPress security team
  • and some less secure sanitize_file_name edge cases reported by Peter Westwood of the WordPress security team.

WordPress 4.5.3 also fixes 17 bugs from 4.5, 4.5.1 and 4.5.2:

  • #35657 Image height calculation not always available on body.load
  • #36379 Saving post can remove its hierarchical terms if user cannot
  • #36531 Default image size medium_large is not generated
  • #36533 Doesn’t work browse media libary on Frontend
  • #36590 POST[‘nav-menu-data’] breaks other POST
  • #36637 Inline linking inserts `_wp_link_placeholder`
  • #36660 WP_Customize_Widgets::preview_sidebars_widgets() can return false
  • #36708 Silence ini_set() in wp_debug_mode() if WP_DEBUG is off
  • #36748 Updating tables to utf8mb4 causes some columns to change type
  • #36749 Customizer wont load: issue with site-icon control
  • #36767 oEmbed performance optimisation
  • #36793 Customizer doesn’t load in IE8
  • #36838 Invalid argument supplied for foreach() in /wp-includes/theme-compat/embed-content.php
  • #36861 The Insert into post button in the Edit Image window doesn’t work.
  • #36876 TinyMCE: inline toolbars don’t adjust position
  • #36892 Update jQuery migrate to 1.4.1
  • #36900 Media grid AttachmentsBrowser arrows navigation and restoreFocus()
WordPress and Drupal Updates

Please note that there are new updates for WordPress and Drupal to stop Brute Force attacks on these websites;  a security researcher revealed a new crucial vulnerability that allows offenders to launch a very effective Denial of Service attack, through a process that circumvents existing security measures.

Please make sure you have your WordPress updates to version 2.9.2 and your Drupal to either 7.31 or 6.33 (depending on which Drupal version you are running).

Want some more information check out the following blogpost on this topic.