WordPress just released security update 4.5.2. The notes WordPress version 4.5.2 reports that the previous version 4.5.1 and older versions are affected by a few vulnerabilities via Plupload, a bookcase third party that WordPress uses to upload files.
WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs via MediaElement.js, the third-party library used by Appliances media playback.
MediaElement.js and Plupload also released updates to fix these issues.
And two issues analyzed and reported by Mario Heiderich, Masato Kinugawa, and Filedescriptor from Cure53.
"Thanks to team with responsible disclosure, to the Plupload and MediaElement.js teams and working closely with us we immediately fixed these issues,” says WordPress.
Updated Files:
/wp-includes/js/plupload/plupload.flash.swf /wp-includes/js/mediaelement/flashmediaelement.swf /wp-includes/js/mediaelement/mediaelement-and-player.min.js / wp-includes / version .php /wp-includes/script-loader.php /readme.html /wp-admin/about.php