Number: AV16-103
Date: 21 June 2016
Purpose
The purpose of this advisory is to bring attention to the WordPress 4.5.3 Security Release.
Assessment
WordPress versions 4.5.2 and previous are affected by multiple security issues:
- Redirect bypass in the customizer
- Two different XSS problems via attachment names
- Revision history information disclosure
- oEmbed denial of service
- Unauthorized category removal from a post
- Password change via stolen cookie
In addition to the security issues above, WordPress 4.5.3 fixes 17 bugs from 4.5, 4.5.1 and 4.5.2.
Suggested action
CCIRC recommends that owner/operators test and deploy the vendor released update or workaround to affected platforms accordingly.