WordPress 4.7.3 is now available with patches for six security vulnerabilities that affect version 4.7.2 and all previous versions. WordPress.org is strongly encouraging users to update their sites immediately.
The release includes fixes for three cross-site-scripting (XSS) vulnerabilities that affect media file metadata, video URLs in YouTube embeds, and taxonomy term names. It also includes patches for three other security issues:
- Control characters can trick redirect URL validation
- Unintended files can be deleted by administrators using the plugin deletion functionality
- Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources
These vulnerabilities were responsibly disclosed by a variety of different sources contributing to WordPress security.
Version 4.7.3 is also a maintenance release with fixes for 39 issues. This includes a fix for an annoying bug that popped up after 4.7.1 where certain non-image files failed to upload, giving an error message that said: “Sorry, this file type is not permitted for security reasons.” Those who were negatively impacted have been waiting on this fix for two months.
Now that the patched vulnerabilities in 4.7.3 are public, it is only a matter of time before hackers begin exploiting sites that do not update.