Please everyone, update to WordPress 4.5.2

WordPress 4.5.2 has now been available since the start of May 2016. This update was purely a security release for all versions of WordPres. We strongly urge you to update your sites immediately!

WordPress 4.5.1 was affected by a SOME vulnerability through Plupload, the 3rd party library WordPress uses for uploading files. You know it well, the Upload Media, Drag and Drop bit that goes BLUE when you are ready to drop it in.

Javascripts are the culprits

These earlier versions of WordPress (4.2 and 4.5.1) are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js. This is the third-party library used for media players. Reflected XSS are the most frequent type of XSS attacks found in the wild. Reflected XSS attacks are also known as non-persistent XSS attacks. Since the attack payload is delivered and executed via a single request and response, they are also referred to as first-order or type 1 XSS.

MediaElement.js and Plupload have also released updates fixing these issues, so this should be old news by the time you read this.

Download WordPress 4.5.2 and install now, or Monkey on over to your  WordPress Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates have already satrted to update to WordPress 4.5.2. So if you are on managed WordPress hosting of any of the big boys then chances are it’s already done.

Also… ImageMagick

Also, while we are chatting about security, there are a tonne of currently widely publicised vulnerabilities in the ImageMagick image processing library. This is used by a number of hosts (yes even those bog boys from earlier who were keeping you nice and updated) and is fully supported in WordPress. For an answer to THIS issue, see this post on the core WordPress development blog.

Shopping Cart
Scroll to Top