WordPress Security and Maintenance release

WordPress Security and Maintenance Release – 4.7.5

WordPress Security and Maintenance Release 4.7.5 available to download from May 16, 2017. We urge you to update your WordPress sites immediately and don’t forget to make a full site backup before updating. All previous versions of WordPress are affected by vulnerabilities patched by this update. You can update your sites automatically right from your WordPress admin dashboard from the section “Updates” (Dashboard → Updates → Update Now). Also, you can simply rewrite the WordPress files by FTP, but it’s way safer to do it from the WordPress dashboard.

WordPress Security and Maintenance Release fixed security issues

  • Insufficient redirect validation in the HTTP class. Discovered and reported by Ronni Skansing.
  • Incorect handling of post meta data values in the XML-RPC service API. Discovered and reported by Sam Thomas.
  • Lack of capability checks for post meta data in the XML-RPC service API. Discovered and reported by Ben Bidner (WordPress Security Team).
  • A Cross Site Request Forgery (CRSF) vulnerability in the file system credentials dialog. Discovered and reported by Yorick Koster.
  • A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Discovered and reported by Ronni Skansing.
  • A cross-site scripting (XSS) vulnerability was discovered related to the WordPress Customizer. Discovered and reported by Weston Ruter (WordPress Security Team).

WordPress version 4.7.5 fixes not related to the security

  • Administration – fixed Shift-click function to select a range of checkboxes (wasn’t working since version 4.7.3 update).
  • Build/Test Tools – latest Akismet version included.
  • REST API – REST API JS Client connecting to multiple endpoints at the same time.
  • Taxonomy – fixed issue when get_the_terms() doesn’t respect register_taxonomy()’s ‘orderby’ => ‘term_order’.

Updated files

  • wp-admin/includes/file.php
  • wp-admin/js/common.js
  • wp-admin/js/common.min.js
  • wp-admin/js/customize-controls.js
  • wp-admin/js/customize-controls.min.js
  • wp-admin/js/updates.js
  • wp-admin/js/updates.min.js
  • wp-admin/about.php
  • wp-admin/customize.php
  • wp-content/plugins/akismet/_inc/img/logo-full-2x.png
  • wp-content/plugins/akismet/_inc/akismet.css
  • wp-content/plugins/akismet/_inc/akismet.js
  • wp-content/plugins/akismet/akismet.php
  • wp-content/plugins/akismet/class.akismet.php
  • wp-content/plugins/akismet/readme.txt
  • wp-includes/js/plupload/handlers.js
  • wp-includes/js/plupload/handlers.min.js
  • wp-includes/js/wp-api.js
  • wp-includes/js/wp-api.min.js
  • wp-includes/class-http.php
  • wp-includes/class-wp-customize-manager.php
  • wp-includes/class-wp-xmlrpc-server.php
  • wp-includes/taxonomy.php
  • wp-includes/version.php
Darius S.

Similar Posts

Social Warfare plugin vulnerabilities exploited

Social Warfare plugin under attack due to critical security vulnerabilities

Social Warfare plugin has more than 60,000 active installs, and now it suffers from the wave of attacks ignited by recently discovered two ...

Easy WP SMTP plugin vulnerability

Easy WP SMTP plugin vulnerability threatens 300k WordPress websites

Easy WP SMTP plugin gets a lot of attention these days due to zero-day (0-day) vulnerability disclosed recently. Why it gets so much ...

Coinhive closing

Coinhive closes – hackers will lose their favorite tool of exploitation

Coinhive development team published a blog post about the discontinuation of Coinhive system. Yes, the same Coinhive that we talked about ...

Leave a Reply

Your email address will not be published. Required fields are marked *