WordPress Security and Maintenance Release 4.7.5 available to download from May 16, 2017. We urge you to update your WordPress sites immediately and don’t forget to make a full site backup before updating. All previous versions of WordPress are affected by vulnerabilities patched by this update. You can update your sites automatically right from your WordPress admin dashboard from the section “Updates” (Dashboard → Updates → Update Now). Also, you can simply rewrite the WordPress files by FTP, but it’s way safer to do it from the WordPress dashboard.
WordPress Security and Maintenance Release fixed security issues
- Insufficient redirect validation in the HTTP class. Discovered and reported by Ronni Skansing.
- Incorect handling of post meta data values in the XML-RPC service API. Discovered and reported by Sam Thomas.
- Lack of capability checks for post meta data in the XML-RPC service API. Discovered and reported by Ben Bidner (WordPress Security Team).
- A Cross Site Request Forgery (CRSF) vulnerability in the file system credentials dialog. Discovered and reported by Yorick Koster.
- A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Discovered and reported by Ronni Skansing.
- A cross-site scripting (XSS) vulnerability was discovered related to the WordPress Customizer. Discovered and reported by Weston Ruter (WordPress Security Team).
WordPress version 4.7.5 fixes not related to the security
- Administration – fixed Shift-click function to select a range of checkboxes (wasn’t working since version 4.7.3 update).
- Build/Test Tools – latest Akismet version included.
- REST API – REST API JS Client connecting to multiple endpoints at the same time.
- Taxonomy – fixed issue when get_the_terms() doesn’t respect register_taxonomy()’s ‘orderby’ => ‘term_order’.