Hardly two and a half months have passed since 2017 (the year, not the WordPress version), and the world has already seen three WordPress security updates, the last of which hit the dashboards on March 6.
The previous security release, 4.7.2, was launched 6 weeks ago (and only 2 weeks after 4.7.1) with the mission to patch the REST API vulnerability which caused more than 1.5 million website owners to wake up one morning and find their content defaced. With a strange, provocative message or two glaring from the screens, or a link to a rogue website selling medicine.
The core developers had an agreement to keep silent and buy some time for WP users to update before the threat would be publicly disclosed. This was very clever of them, but at the same time it brought quite a lot of confusion to all of our heads.
Maybe even a little bit of paranoia too. Should we worry now that they issued another update so soon after the previous one? Are we to tremble before the expectation of another terrifying disclosure that awaits just around the corner?
According to the WordPress’ official statement, they fixed six security issues, three of which were XSS (cross-site scripting) vulnerabilities.
Just to make it clear, cross-site scripting is the most common security vulnerability today. In the most basic sense, it means injecting a malicious script into a web page and attacking the users of this webpage through this script. Thereby the attacker makes use of the website which was deemed secure by the users as well as search engines, and abuses its reputation and privilege to redirect an unsuspecting user to a phishing site, or steal their cookies, or do zillion other things.
So far, among millions of victim of XSS attacks were even giants such as Facebook, Twitter and Youtube.
WordPress also fixed a cross-site request forgery (CSRF, spelled Sea Surf). This kind of attack is also very frequent and occurs when an attacker exploits a website impersonating an authenticated user that the website trusts.
40 non-security related bugs were fixed too.
So, if you haven’t updated yet to WordPress 4.7.3, do it right away.