WordPress 4.5.3 security update

Jun 21, 2016

From the WordPress 4.5.3 release notes, WordPress versions 4.5.2 and earlier are affected by several security issues:

  • Redirect bypass in the customizer, reported by Yassine Aboukir
  • Two different XSS problems via attachment names, reported by Jouko Pynnönen and Divyesh Prajapati.
  • Revision history information disclosure, reported independently by John Blackbourn from the WordPress security team and by Dan Moen
  • oEmbed denial of service reported by Jennifer Dodd from Automattic
  • Unauthorized category removal from a post, reported by David Herrera from Alley Interactive
  • Password change via stolen cookie, reported by Michael Adams from the WordPress security team
  • and some less secure sanitize_file_name edge cases reported by Peter Westwood of the WordPress security team.

WordPress 4.5.3 also fixes 17 bugs from 4.5, 4.5.1 and 4.5.2:

  • #35657 Image height calculation not always available on body.load
  • #36379 Saving post can remove its hierarchical terms if user cannot
  • #36531 Default image size medium_large is not generated
  • #36533 Doesn’t work browse media libary on Frontend
  • #36590 POST[‘nav-menu-data’] breaks other POST
  • #36637 Inline linking inserts `_wp_link_placeholder`
  • #36660 WP_Customize_Widgets::preview_sidebars_widgets() can return false
  • #36708 Silence ini_set() in wp_debug_mode() if WP_DEBUG is off
  • #36748 Updating tables to utf8mb4 causes some columns to change type
  • #36749 Customizer wont load: issue with site-icon control
  • #36767 oEmbed performance optimisation
  • #36793 Customizer doesn’t load in IE8
  • #36838 Invalid argument supplied for foreach() in /wp-includes/theme-compat/embed-content.php
  • #36861 The Insert into post button in the Edit Image window doesn’t work.
  • #36876 TinyMCE: inline toolbars don’t adjust position
  • #36892 Update jQuery migrate to 1.4.1
  • #36900 Media grid AttachmentsBrowser arrows navigation and restoreFocus()

Questions? We can help.