On 6 May, 2016, WordPress 4.5.2 was released to the public.
To download WordPress 4.5.2, update automatically from the Dashboard > Updates menu in your site’s admin area or visit https://wordpress.org/download/release-archive/.
For step-by-step instructions on installing and updating WordPress:
If you are new to WordPress, we recommend that you begin with the following:
- New To WordPress – Where to Start
- First Steps With WordPress or Upgrading WordPress Extended
- WordPress Lessons
From the WordPress 4.5.2 release notes, WordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload, the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues.
Both issues were analyzed and reported by Mario Heiderich, Masato Kinugawa, and Filedescriptor from Cure53. Thanks to the team for practicing responsible disclosure, and to the Plupload and MediaElement.js teams for working closely with us to coördinate and fix these issues.
/wp-includes/js/plupload/plupload.flash.swf /wp-includes/js/mediaelement/flashmediaelement.swf /wp-includes/js/mediaelement/mediaelement-and-player.min.js /wp-includes/version.php /wp-includes/script-loader.php /readme.html /wp-admin/about.php