WordPress Releases Security Update for Versions Prior to 4.7.5


WordPress versions prior to 4.7.5 are affected by multiple vulnerabilities. A remote attacker could exploit some of these vulnerabilities to take control of an affected website.

Users and administrators are encouraged to review the WordPress Security Release and upgrade to WordPress 4.7.5.

WordPress 4.7.5 Security and Maintenance Release

Posted May 16, 2017 by Pascal Birchler. Filed under Releases, Security.

WordPress 4.7.5 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.4 and earlier are affected by six security issues:

  1. Insufficient redirect validation in the HTTP class. Reported by Ronni Skansing.
  2. Improper handling of post meta data values in the XML-RPC API. Reported by Sam Thomas.
  3. Lack of capability checks for post meta data in the XML-RPC API. Reported by Ben Bidner of the WordPress Security Team.
  4. A Cross Site Request Forgery (CSRF)  vulnerability was discovered in the filesystem credentials dialog. Reported by Yorick Koster.
  5. A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Reported by Ronni Skansing.
  6. A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Reported by Weston Ruter of the WordPress Security Team.

Thank you to the reporters of these issues for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.7.5 contains 3 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.

Download WordPress 4.7.5 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.5.

Thanks to everyone who contributed to 4.7.5.

The full release about WordPress Releases Security Update for Versions Prior to 4.7.5 is available at the following link: https://www.us-cert.gov/ncas/current-activity/2017/05/17/WordPress-Releases-Security-Update

NetGain Technologies shares security alerts from trustworthy sources as a courtesy to clients and partners. NetGain Technologies cannot independently verify the authenticity of any threat and does not control the content on linked pages. To learn more about corporate security or to consult with a security expert at NetGain Technologies, click here, email SMART@NetGainIT.com, or call (844) 793-0385.