WordPress last week updated to version 4.5.3, a security release for all versions of the content management system.
The update patches more than two dozen vulnerabilities, including 17 bugs introduced in the last three releases, all published this year. Many of the vulnerabilities can be exploited remotely and allow an attacker to control of a website running on WordPress.
The platform continues to focus on security; already this year WordPress has updated a handful of times with sizable security updates and in April, turned on free encryption for custom domains hosted on WordPress.
Last week’s update patches vulnerabilities affecting versions 4.5.2 and earlier.
The update addressed a redirect bypass vulnerability in WordPress customizer API, a framework used by developers to preview live changes to WordPress themes.
Two separate cross-site scripting vulnerabilities delivered via attachment names were also patched, as was an information disclosure bug in revision history and a flaw that allows for unauthorized category removal from a post.
The update also took care of a denial-of-service vulnerability in oEmbed, a protocol used by WordPress sites to display embedded photos or video when users link third-party content.
Two other bugs reported by the WordPress security team round out the update: a password vulnerability via stolen cookies, and less secure sanitize_file_name edge cases.