WordPress 4.5.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
<p dir="auto"> WordPress versions 4.5.2 and earlier are affected by several security issues: redirect bypass in the customizer, reported by <a href="http://yassineaboukir.com/" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">Yassine Aboukir; two different XSS problems via attachment names, reported by <a href="https://klikki.fi/" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">Jouko Pynnönen and <a href="https://twitter.com/divy_er" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">Divyesh Prajapati; revision history information disclosure, reported independently by <a href="https://profiles.wordpress.org/johnbillion" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">John Blackbourn from the WordPress security team and by Dan Moen from the Wordfence Research Team; oEmbed denial of service reported by Jennifer Dodd from Automattic; unauthorized category removal from a post, reported by David Herrera from <a href="https://www.alleyinteractive.com/" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">Alley Interactive; password change via stolen cookie, reported by <a href="https://blogwaffe.com/" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">Michael Adams from the WordPress security team; and some less secure <code>sanitize_file_name edge cases reported by<a href="http://peter.westwood.name/" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">Peter Westwood of the WordPress security team. <p dir="auto"> Thank you to the reporters for practicing <a href="https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">responsible disclosure. <p dir="auto"> In addition to the security issues above, WordPress 4.5.3 fixes 17 bugs from 4.5, 4.5.1 and 4.5.2. For more information, see the <a href="https://codex.wordpress.org/Version_4.5.3" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">release notes or consult the <a href="https://core.trac.wordpress.org/query?milestone=4.5.3" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">list of changes. <p dir="auto"> <a href="https://wordpress.org/download/" target="_blank" rel="nofollow noreferrer noopener" title="This link will take you away from hive.blog" class="external_link">Download WordPress 4.5.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.5.3. <p dir="auto"> Thanks to everyone who contributed to 4.5.3.