If you use the WordPress content management system (CMS) for your blog or website, you should patch it now. The WordPress version 4.7.3 update fixes six security issues, most of them concern cross-site scripting (XXS) vulnerabilities. Here's what you need to know.
"This is a security release for all previous versions and we strongly encourage you to update your sites immediately," WordPress said.
Here are the six security issues that have been fixed in the WordPress update:
- Cross-site scripting (XSS) via media file metadata. Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs.
- Control characters can trick redirect URL validation. Reported by Daniel Chatfield.
- Unintended files can be deleted by administrators using the plugin deletion functionality. Reported by xuliang.
- Cross-site scripting (XSS) via video URL in YouTube embeds. Reported by Marc Montpas.
- Cross-site scripting (XSS) via taxonomy term names. Reported by Delta.
- Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources. Reported by Sipke Mellema.
The WordPress update also includes 39 maintenance fixes to the 4.7 release series.
To update to WordPress 4.7.3, you can download it here; extended instructions on how to do the update, which is suitable for larger sites, can he found here. Alternatively, head over to your CMS, go to Dashboard > Updates and click on Update Now. According to WordPress, sites that support automatic background updates are already beginning to update to WordPress 4.7.3.