The open-source content management system WordPress has released urgent security updates for versions 4.7.2 and earlier and “strongly encourages” users to update right away.
A Look at the WordPress March 2017 Critical Security Update
The new Version 4.7.3 contains system fixes to half a dozen security flows that allowed for:
- Cross-site scripting (XSS) via media file metadata,
- Control characters tricking redirect URL validation,
- Unintended files being deleted by administrators using the plugin deletion functionality,
- Cross-site scripting (XSS) via video URL in YouTube embeds,
- Cross-site scripting (XSS) via taxonomy term names,
- Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.
Version 4.7.3 also includes fixes for almost 40 maintenance issues.
If you are currently on version 4.7.2, you should immediately move to the newest version as some of these security issues can allow for, among other things, cross-site scripting and request forgery attacks.
Websites that support automatic update are already receiving the latest WordPress update while those that prefer manual updates should head over to Dashboard > Updates and simply click “Update Now.” You can also Download WordPress 4.7.3.
The new update comes sortly after WordPress admins were informed of a separate security crisis in NextGEN Gallery plugin.