A Big Week for Security: Upgrade Jetpack to 4.0.4, Upgrade WordPress Core to 4.5.3.

It’s been a busy week for WordPress security. Jetpack has released a major security update with version 4.0.4 this week that fixes three vulnerabilities:

  • a vulnerability that allowed an attacker to perform unauthorized changes to the “post by email” settings
  • a cross site scripting (XSS) vulnerability in the Jetpack ‘Likes’ module
  • a vulnerability that made submitted feedback publicly available via the REST API

These are all reasonably serious vulnerabilities. If you have not already upgraded to Jetpack version 4.0.4, we recommend you do so now.

In addition, WordPress core version 4.5.3 was released this week and is a security update that fixes the following:

  • a vulnerability that we discovered that allows any attacker to bypass password protected posts and read those posts
  • a redirect bypass vulnerability in the customizer
  • two different XSS vulnerabilities via attachment names
  • an oEmbed denial of service attack vulnerability
  • a vulnerability that allows unauthorized category removal from a post
  • a vulnerability that allows an attacker to change passwords via a stolen cookie
  • a security improvement to the sanitize_file_name() function

WordPress 4.5.3 also includes 17 bug fixes. We recommend you upgrade as soon as possible because this release contains a large number of security improvements.

Did you enjoy this post? Share it!

Comments

4 Comments
  • Thanks for the update, just updated all my WordPress site. Also thanks for making a great security plugin. I use it on all my sites.

  • Thanks for these timely updates. I have Wordfence running on all my websites and appreciate the quick notifications of issues on them, even if it's just a note that plugins or themes need updating. There was one today warning about a phishing URL in a comment from a previously trusted source. I was able to warn the site owner who may not have been aware.

  • This would be awesome if Jetpack would connect like it should be now and if the new Wordpress update hadn't disabled ALL pictures on my freakin website. I don't know why it's doing that, but it's really starting to tick me off.

  • Thanks again for keeping us in the loop regarding the flurry of updates and patches issued lately.