What a Week for WordPress Updates
Jetpack for WordPress – Updated
This week has been a very busy week for WordPress and security Updates. Jetpack has released a major security update with version 4.0.4 in the last 7 days that fixes three vulnerabilities:
- A vulnerability that allowed an attacker to perform unauthorized changes to the “post by email” settings was fixed.
- A cross site scripting (XSS) vulnerability in the Jetpack ‘Likes’ module was secured.
- A vulnerability loophole that made submitted feedback publicly available via the REST API was resolved.
All of these are quite serious vulnerabilities. If anyone hasn’t already upgraded to Jetpack version 4.0.4, we strongly recommend you do so now.
WordPress Core Update
In addition to all of that, the WordPress core version 4.5.3 was released and is a security update that fixes the following:
- A vulnerability that was discovered that allows any attacker to bypass password protected posts and read those posts.
- A redirect bypass vulnerability in the customizer was patched.
- Two different XSS vulnerabilities via attachment names were discovered.
- An oEmbed denial of service (DOS) attack vulnerability was fixed.
- A vulnerability that allows unauthorized category removal from a post was patched.
- A vulnerability that allows an attacker to change passwords via a stolen cookie was fixed.
- A security improvement to the sanitize_file_name() function was added.
In addition to this, WordPress 4.5.3 also includes 17 bug fixes. We recommend you upgrade as soon as possible because this release contains a substantial number of important security improvements.
If you’re tires of trying to keep-up on all of this, let us do your WordPress Maintenance.