[SECURITY-L] WordPress 4.5.2 Security Release
CSIRT Unicamp
security em unicamp.br
Seg Maio 9 07:00:35 -03 2016
WordPress 4.5.2 is now available. This is a security release for all
previous versions and we strongly encourage you to update your sites
immediately.
WordPress versions 4.5.1 and earlier are affected by a SOME
vulnerability through Plupload, the third-party library WordPress uses
for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable
to reflected XSS using specially crafted URIs through MediaElement.js,
the third-party library used for media players. MediaElement.js and
Plupload have also released updates fixing these issues.
Both issues were analyzed and reported by Mario Heiderich, Masato
Kinugawa, and Filedescriptor from Cure53. Thanks to the team for
practicing responsible disclosure, and to the Plupload and
MediaElement.js teams for working closely with us to coördinate and fix
these issues.
Download WordPress 4.5.2 from https://wordpress.org/download/, or
venture over to Dashboard → Updates and simply click “Update Now.” Sites
that support automatic background updates are already beginning to
update to WordPress 4.5.2.
Additionally, there are multiple widely publicized vulnerabilities in
the ImageMagick image processing library, which is used by a number of
hosts and is supported in WordPress. For our current response to these
issues, see this post on the core development blog:
https://make.wordpress.org/core/2016/05/06/imagemagick-vulnerability-information/
Source:
https://wordpress.org/news/2016/05/wordpress-4-5-2/
Mais detalhes sobre a lista de discussão SECURITY-L