WordPress core contributor and development leader Adam Silverstein recently unveiled WordPress 4.5.3 Security and Maintenance release, one of the more significant security releases for WordPress till date. Compiled by over 20 awesome WordPress developers, this security release focuses on issues pertaining to functioning and of course, chinks in the armor.
Here’s what it’s all about.
WordPress security team and a number of other developers reported more than a handful of security issues in WordPress versions 4 and beyond. This security and maintenance release attempts to fix:
• Redirection bypass in WordPress Customizer. Found and reported by Yassine Aboukir (self proclaimed Web App security enthusiast).
• Two separate Cross site scripting (XSS) issues, both with attachment names (forgeries committed by users you trust). Found and reported by Jouko Pynnönen (Klikky Oy) and Divyesh Prajapati.
• Revision history access (critical information disclosure). Found and reported by John Blackbourn (independently of WordPress Security Team) and Dan Moen (WordFence Research Team).
• DoS (Denial of Service) attack target at oEmbed, a vital part of core since WordPress version 2.9. Found and reported by Jennifer Dodd (Automattic).
• Unauthorized category change (taxonomy change) in a published post. Found and reported by David Herrera (Alley Interactive).
• Cookie intercepts and subsequent password theft. Found and reported by Michael Adams (WordPress Security Team).
• Unsecure edge cases in sanitize_file_name function have been fixed, courtesy of Peter Westwood of WordPress Security Team.
If those vulnerabilities aren’t enough to prompt you into action and update to WordPress 4.5.3 now (come on, it’s free!), maybe some features and fixes will do the trick.
WordPress 4.5.3 fixes over a dozen (17, to be exact) bugs in versions 4.5 and beyond. Some of them are listed below:
1. Incorrect image dimension in iFrame (embed) (Ticket)
While embedding a WordPress post in the editor, the browser may send incorrect dimension (specifically height) to the embedding site. This happened 5 out 10 times, when the featured image on the post took a while to load, which then appeared stretched/ squashed out vertically.
2. Saving post can remove its hierarchical taxonomy if user does not have assign_terms capability (Ticket)
The interface displayed the checklist with correct boxes checked, but input was disabled and the saved taxonomy was lost.
3. Default image size medium_large (768px) does not generate (Ticket)
This happened when you changed image size from media settings page in WordPress admin.
4. Browse Media (library) doesn’t work on front-end and browsers Chrome and Safari (Ticket)
It used to work in WordPress versions 4.4 and before.
5. POST[‘nav-menu-data’] breaks other POST values(Ticket)
This was reported by Unyson theme framework creator team. The Unyson plugin’s megamenu extension had this trouble which has been fixed now.
There are a dozen more bug fixes in the UI, oEmbed performance, site icon control issues in Customizer, and more.
Endnote
WordPress 4.5.3 Security and Maintenance patch was released on June 18th 2016 and has been available for download/update ever since. If you haven’t updated yet (seriously, it’s not that hard!), go to your admin dashboard and do it now.