Today, Automatic has released a new version of WordPress i.e. WordPress 4.5.3. This is a security release for all the previous versions, and we firmly recommend you to update immediately to prevent your site from being hacked or any data loss. Automatic background updates are already rolling out to the users.
Please Note: If you have disabled background updates then you should do update your site to the latest version manually right now.
These are security issues which are fixed by WordPress 4.5.3 version.
- Two different XSS problems via attachment names (reported by Yassine Aboukir)
- Redirect bypass in the customizer (reported by Jouko Pynnonen and Divyesh Prajapati)
- Revision history information disclosure (reported independently by John Backbourn from the WordPress security and by Dan moen).
- oEmbed denial of service (Jennifer Dodd from Automattic).
- Unauthorized category removal from a post (reported by David Herrera from Alley Interactive)
- Password change via stolen cookie (reported by Michael Adams from the WordPress security team).
- Some less secure sanitize_file_name edge cases (reported by Peter Westwood of the WordPress security team).
In addition to the above security fixes, the WordPress 4.5.3 has also fixed 17 bugs from WordPress 4.5, 4.5.1 and 4.5.2.
Go to your WordPress site dashboard to your site or download the new version of WordPress from here. Sites that support the automatic background updates are already beginning to upgrade to WordPress 4.5.3.