WordPress 4.5.3 was just released. This is an important security release that includes fixes for critical vulnerabilities and improvements for WordPress 4.5.2 and lower and is recommended for all WordPress users.
As always, Managed WordPress websites will be updated by 1&1 automatically. If you have installed WordPress yourself or use a standard installation from the 1&1 App Center, you can update to 4.5.3 from your WordPress Dashboard.
Select Updates and click Update Now. If you prefer to update manually, you can download WordPress 4.5.3 here.
What’s new in WordPress 4.5.3?
This release contains important security updates and bug fixes, among other smaller improvements (wordpress.org):
- WordPress versions 4.5.2 and earlier are affected by several security issues: redirect bypass in the customizer, reported by Yassine Aboukir; two different XSS problems via attachment names, reported by Jouko Pynnönen and Divyesh Prajapati
- revision history information disclosure, reported independently by John Blackbourn from the WordPress security team and by Dan Moen
- oEmbed denial of service reported by Jennifer Dodd from Automattic
- unauthorized category removal from a post, reported by David Herrera from Alley Interactive
- password change via stolen cookie, reported by Michael Adams from the WordPress security team
- some less secure
sanitize_file_nameedge cases reported by Peter Westwood of the WordPress security team
For a complete list of all bug fixes and improvements please see the official WordPress 4.5.3 release notes.