A Big Week for Security: Upgrade Jetpack to 4.0.4, Upgrade WordPress Core to 4.5.3.
It’s been a busy week for WordPress security. Jetpack has released a major security update with version 4.0.4 this week that fixes three vulnerabilities:
- a vulnerability that allowed an attacker to perform unauthorized changes to the “post by email” settings
- a cross site scripting (XSS) vulnerability in the Jetpack ‘Likes’ module
- a vulnerability that made submitted feedback publicly available via the REST API
These are all reasonably serious vulnerabilities. If you have not already upgraded to Jetpack version 4.0.4, we recommend you do so now.
In addition, WordPress core version 4.5.3 was released this week and is a security update that fixes the following:
- a vulnerability that we discovered that allows any attacker to bypass password protected posts and read those posts
- a redirect bypass vulnerability in the customizer
- two different XSS vulnerabilities via attachment names
- an oEmbed denial of service attack vulnerability
- a vulnerability that allows unauthorized category removal from a post
- a vulnerability that allows an attacker to change passwords via a stolen cookie
- a security improvement to the sanitize_file_name() function
WordPress 4.5.3 also includes 17 bug fixes. We recommend you upgrade as soon as possible because this release contains a large number of security improvements.