WordPress 4.7.3 Security Release – Upgrade ASAP
WordPress 4.7.3 has just been released. It is the third in a series of recent security releases for WordPress core.
WordPress 4.7.2 was released on January 26th to fix a now famous WordPress defacement vulnerability. WordPress 4.7.1 was released on January 11th which fixed a vulnerability in PHPMailer.
This new 4.7.3 core release fixes three Cross Site Scripting vulnerabilities:
Cross-site scripting (XSS) via media file metadata.
Cross-site scripting (XSS) via video URL in YouTube embeds.
Cross-site scripting (XSS) via taxonomy term names.
It also fixed the following additional security issues:
Control characters can trick redirect URL validation.
Unintended files can be deleted by administrators using the plugin deletion functionality.
Cross-site request forgery (CSRF) in “Press This” leading to excessive use of server resources.
WordPress 4.7.3 also contains 39 maintenance fixes to fix a range of non-security related issues.
A few minutes ago, the Department of Homeland Security released an upgrade advisory via US-CERT’s National Cyber Awareness System:
April 23, 2017
April 7, 2017
April 5, 2017