WordPress 4.7.3 Security and Maintenance Release

WordPress 4.7.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
If you have not already updated your WordPress websites to WordPress 4.7.2, you need to do so immediately.
While three security vulnerabilities were disclosed in the original WordPress 4.7.2 security release post last week, a disclosure of additional security fix in WordPress 4.7.2 was announced yesterday.
WordPress versions 4.7.2 and earlier are affected by six security issues:
- Cross-site scripting (XSS) via media file metadata.
- Control characters can trick redirect URL validation.
- Unintended files can be deleted by administrators using the plugin deletion functionality.
- Cross-site scripting (XSS) via video URL in YouTube embeds.
- Cross-site scripting (XSS) via taxonomy term names.
- Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.
Thanks to the reporters for practising responsible disclosure.
In addition to the security issues above, WordPress 4.7.3 contains 39 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.
While WordPress 4.7.2 was released as an autoupdate, you need to make sure that your sites have been updated successfully. If your site has not updated, you’ll see the WordPress 4.7.2 update available from your WordPress dashboard. Visit the Updates page by clicking the icon in the top navigation bar. As always, it’s a good idea to run a WordPress backup before updating.
WordPress 4.7.2 and prior versions are affected by multiple vulnerabilities. A remote attacker could exploit some of these vulnerabilities to take control of an affected website. US-CERT encourages users and administrators to review the WordPress Security Release and upgrade to WordPress 4.7.3.
Should you have any concerns, please don’t hesitate to get in touch for help on updates and maintenance of your WordPress website.
Leave a Reply