WordPress just released the 4.5.2 security update. WorthPress 4.5.2 release notes indicate that the previous 4.5.1 and older versions are affected by a few vulnerabilities via Plupload, a bookcase third party that WordPress uses for uploading files.
WordPress 4.2 to 4.5.1 versions are vulnerable to XSS-reflexes that use specially crafted URIs through MediaElement.js, the third-party library used by media players.
MediaElement.js and Plupload also released updates to fix these issues.
Both themethey were analyzed and reported by Mario Heiderich, Masato Kinugawa, and Filedescriptor from Cure53.
"Thanks to the team with responsible disclosure, the Plupload and MediaElement.js teams and their close cooperation with us, we have rectified these issues immediately," WordPress reports.
Updated Files:
/wp-includes/js/plupload/plupload.flash.swf /wp-includes/js/mediaelement/flashmediaelement.swf /wp-includes/js/mediaelement/mediaelement-and-player.min.js /wp-includes/version .php /wp-includes/script-loader.php /readme.html /wp-admin/about.php