{"id":4696,"date":"2017-03-06T17:53:30","date_gmt":"2017-03-06T17:53:30","guid":{"rendered":"https:\/\/wordpress.org\/news\/?p=4696"},"modified":"2022-11-18T22:53:15","modified_gmt":"2022-11-18T22:53:15","slug":"wordpress-4-7-3-security-and-maintenance-release","status":"publish","type":"post","link":"https:\/\/wordpress.org\/news\/2017\/03\/wordpress-4-7-3-security-and-maintenance-release\/","title":{"rendered":"WordPress 4.7.3 Security and Maintenance Release"},"content":{"rendered":"

WordPress 4.7.3 is now available. This is a security release<\/strong> for all previous versions and we strongly encourage you to update your sites immediately.<\/p>\n

WordPress versions 4.7.2 and earlier are affected by six\u00a0security issues:<\/p>\n

    \n
  1. Cross-site scripting (XSS) via\u00a0media file metadata. \u00a0Reported by Chris Andr\u00e8 Dale<\/a>, Yorick Koster<\/a>,\u00a0and Simon P. Briggs.<\/li>\n
  2. Control characters can trick redirect URL validation. \u00a0Reported by Daniel Chatfield<\/a>.<\/li>\n
  3. Unintended\u00a0files can be deleted by administrators using the plugin deletion functionality. \u00a0Reported by TrigInc<\/a> and xuliang<\/a>.<\/li>\n
  4. Cross-site scripting (XSS) via\u00a0video URL in YouTube embeds. \u00a0Reported by Marc Montpas<\/a>.<\/li>\n
  5. Cross-site scripting (XSS) via taxonomy term names. \u00a0Reported by Delta<\/a>.<\/li>\n
  6. Cross-site request forgery (CSRF) in Press This leading to excessive use of server\u00a0resources. \u00a0Reported by Sipke Mellema.<\/li>\n<\/ol>\n

    Thank you to the\u00a0reporters for practicing responsible disclosure<\/a>.<\/p>\n

    In addition to the security issues above, WordPress 4.7.3 contains 39 maintenance fixes to the\u00a04.7 release series.\u00a0For more information, see the release notes<\/a>\u00a0or consult the list of changes<\/a>.<\/p>\n

    Download WordPress 4.7.3<\/a>\u00a0or venture over to Dashboard \u2192 Updates and simply click \u201cUpdate Now.\u201d Sites that support automatic background updates are already beginning to update to WordPress 4.7.3.<\/p>\n

    Thanks to everyone who contributed to 4.7.3: Aaron D. Campbell<\/a>, Adam Silverstein<\/a>, Alex Concha<\/a>, Andrea Fercia<\/a>, Andrew Ozz<\/a>, asalce<\/a>, blobfolio<\/a>, bonger<\/a>, Boone Gorges<\/a>, Boro Sitnikovski<\/a>, Brady Vercher<\/a>, Brandon Lavigne<\/a>, Bunty<\/a>, ccprog<\/a>, chetansatasiya<\/a>, David A. Kennedy<\/a>, David Herrera<\/a>, Dhanendran<\/a>, Dion Hulse<\/a>, Dominik Schilling (ocean90)<\/a>, Drivingralle<\/a>, Ella Van Dorpe<\/a>, Gary Pendergast<\/a>, Ian Dunn<\/a>, Ipstenu (Mika Epstein)<\/a>, James Nylen<\/a>, jazbek<\/a>, Jeremy Felt<\/a>, Jeremy Pry<\/a>, Joe Hoyle<\/a>, Joe McGill<\/a>, John Blackbourn<\/a>, John James Jacoby<\/a>, Jonathan Desrosiers<\/a>, Kelly Dwan<\/a>, Marko Heijnen<\/a>, MatheusGimenez<\/a>, Mike Nelson<\/a>, Mike Schroder<\/a>, Muhammet Arslan<\/a>, Nick Halsey<\/a>, Pascal Birchler<\/a>, Paul Bearne<\/a>, pavelevap<\/a>, Peter Wilson<\/a>, Rachel Baker<\/a>, reldev<\/a>, Robert O’Rourke<\/a>, Ryan Welcher<\/a>, Sanket Parmar<\/a>, Sean Hayes<\/a>, Sergey Biryukov<\/a>, Stephen Edgar<\/a>, triplejumper12<\/a>, Weston Ruter<\/a>, and wpfo<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

    WordPress 4.7.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.7.2 and earlier are affected by six\u00a0security issues: Cross-site scripting (XSS) via\u00a0media file metadata. \u00a0Reported by Chris Andr\u00e8 Dale, Yorick Koster,\u00a0and Simon P. Briggs. Control characters can trick redirect […]<\/p>\n","protected":false},"author":14329217,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"episode_type":"","audio_file":"","cover_image":"","cover_image_id":"","duration":"","filesize":"","date_recorded":"","explicit":"","block":"","filesize_raw":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[14,15],"tags":[189,437],"class_list":["post-4696","post","type-post","status-publish","format-standard","hentry","category-releases","category-security","tag-4-7","tag-minor-releases"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pZhYe-1dK","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts\/4696","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/users\/14329217"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/comments?post=4696"}],"version-history":[{"count":10,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts\/4696\/revisions"}],"predecessor-version":[{"id":13941,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/posts\/4696\/revisions\/13941"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/media?parent=4696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/categories?post=4696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wordpress.org\/news\/wp-json\/wp\/v2\/tags?post=4696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}