Note to readers

This publication does not currently meet the Government of Canada's Web Standards. The information remains valid.

WordPress Security Release

Number: AV16-103
Date: 21 June 2016

Purpose

The purpose of this advisory is to bring attention to the WordPress 4.5.3 Security Release.

Assessment

WordPress versions 4.5.2 and previous are affected by multiple security issues:

  • Redirect bypass in the customizer
  • Two different XSS problems via attachment names
  • Revision history information disclosure
  • oEmbed denial of service
  • Unauthorized category removal from a post
  • Password change via stolen cookie

In addition to the security issues above, WordPress 4.5.3 fixes 17 bugs from 4.5, 4.5.1 and 4.5.2.

Suggested action

CCIRC recommends that owner/operators test and deploy the vendor released update or workaround to affected platforms accordingly.

References

https://wordpress.org/news/2016/06/wordpress-4-5-3/

Date modified: