June 18th, 2016
WordPress 4.5.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.5.2 and earlier are affected by several security issues: redirect bypass in the customizer, reported by Yassine Aboukir; two different XSS problems via attachment names, reported by Jouko Pynnönen and Divyesh Prajapati; revision history information disclosure, reported independently by John Blackbourn from the WordPress security team and by Dan Moen; oEmbed denial of service reported by Jennifer Dodd from Automattic; unauthorized category removal from a post, reported by David Herrera from Alley Interactive; password change via stolen cookie, reported by Michael Adams from the WordPress security team; and some less secure
sanitize_file_name edge cases reported by Peter Westwood of the WordPress security team.
Thank you to the reporters for practicing responsible disclosure.
Download WordPress 4.5.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.5.3.
Thanks to everyone who contributed to 4.5.3:
Boone Gorges, Silvan Hagen, vortfu, Eric Andrew Lewis, Nikolay Bachiyski, Michael Adams, Jeremy Felt, Dominik Schilling, Weston Ruter, Dion Hulse, Rachel Baker, Alex Concha, Jennifer M. Dodd, Brandon Kraft, Gary Pendergast, Ella Iseulde Van Dorpe, Joe McGill, Pascal Birchler, Sergey Biryukov, David Herrera and Adam Silverstein.