It’s been almost a week since WordPress 4.5.2 Security Release, and if you haven’t already, you should update now.
The reason for this persistence – This release fixes some really embarrassing and easily exploitable security vulnerabilities present in WordPress since at least 4.2.
This is an end-user/ client/ non-developer version of what was wrong and how it’s been fixed (or patched) in WordPress 4.5.2 Security Release.
WordPress 4.2 to the latest 4.5.1 were open to attack through security vulnerability in Plupload, a 3rd party library used to execute/manage uploads to WordPress media library. This chink-in-the-armor made WordPress websites highly susceptible to Reflected XSS attacks (by use of special URIs through MediaElement.js, another 3rd party library for media players.
There are also some rather highly publicized flaws in ImageMagick, a software suite used around the web that lets users create, customize, compose, or convert images in over 200 file formats.
The security vulnerability can let malicious data creep into WordPress admin through images and perform exploits remotely (Remote Code Execution or RCE). This could be done by anyone who could upload images to your WordPress admin (upload_files capability). By default that capability lies with user roles like admin, author, and editor; but that can (and is) often customized to suit different needs.
Notably, all three flaws were found in third party scripts/ libraries, not within WordPress core itself. Their teams are now working to fix the highlighted issues in coordination with WordPress experts.
The Reflected XSS vulnerability has been patched and fixed in the latest security release.
ImageMagick did release version 6.9.3-10 in April 2016 as a fix to RCE vulnerability, but many think that it’s insufficient protection against RCE.
The anonymous people behind ImageTragick recommend updating the policy file to disable ImageMagick coders. An Example can be found on ImageTragick.com
The issues were reported responsibly by Mario Heiderich, Masato Kinugawa, and Filedescriptor of Cure53.
Stewie (codename) and Nikolay Ermishkin, both of Mail.Ru Security Team, are responsible for finding ImageMagick security vulnerabilities.
Endnote
4.5.2 is an extremely important security update for WordPress. Head over to WordPress admin Dashboard >> Updates and click ‘Update Now’ to keep your site safe for the time being.