Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

WordPress 4.7.3 Security Release – Upgrade ASAP

This entry was posted in Vulnerabilities, WordPress Security on March 6, 2017 by Mark Maunder   5 Replies

WordPress 4.7.3 has just been released. It is the third in a series of recent security releases for WordPress core.

WordPress 4.7.2 was released on January 26th to fix a now famous WordPress defacement vulnerability. WordPress 4.7.1 was released on January 11th which fixed a vulnerability in PHPMailer.

This new 4.7.3 core release fixes three Cross Site Scripting vulnerabilities:

  • Cross-site scripting (XSS) via media file metadata.
  • Cross-site scripting (XSS) via video URL in YouTube embeds.
  • Cross-site scripting (XSS) via taxonomy term names.

It also fixed the following additional security issues:

  • Control characters can trick redirect URL validation.
  • Unintended files can be deleted by administrators using the plugin deletion functionality.
  • Cross-site request forgery (CSRF) in “Press This” leading to excessive use of server resources.

WordPress 4.7.3 also contains 39 maintenance fixes to fix a range of non-security related issues.

A few minutes ago, the Department of Homeland Security released an upgrade advisory via US-CERT’s National Cyber Awareness System:

 

We would recommend that you don’t delay in upgrading to this new release. This release fixes multiple security vulnerabilities and now that the code changes are publicly visible, we may see attacks targeting these vulnerabilities emerge in the coming days.

Did you enjoy this post? Share it!


4.00 (20 votes) Your rating:

5 Comments on "WordPress 4.7.3 Security Release – Upgrade ASAP"

Lori March 6, 2017 at 2:08 pm • Reply

It appears there is a Lunar Pages hosting conflict with upgrading to Wordpress 4.7.3

Luke Cavanagh March 6, 2017 at 2:59 pm • Reply

Also fixes the MIME related upload issue.

https://core.trac.wordpress.org/ticket/39550

Steven March 7, 2017 at 12:16 am • Reply

Have been waiting for this one :)

PHC Law March 7, 2017 at 1:55 am • Reply

Thanks have been waiting for this one too. All good to go now and good post too.

Matt March 7, 2017 at 12:45 pm • Reply

Yay! Again WordPress publish details of potential weak points in out of date code bases.

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.