WordPress 4.5.3 is now available. This is a security release for
all previous versions and we strongly encourage you to update your
sites immediately.
WordPress versions 4.5.2 and earlier are affected by several
security issues: redirect bypass in the customizer, reported by
Yassine Aboukir; two different XSS problems via attachment names,
reported by Jouko Pynnönenand Divyesh Prajapati; revision history
information disclosure, reported independently by John Blackbourn
from the WordPress security team and by Dan Moen from the Wordfence
Research Team; oEmbed denial of service reported by Jennifer Dodd
from Automattic; unauthorized category removal from a post, reported
by David Herrera from Alley Interactive; password change via stolen
cookie, reported by Michael Adams from the WordPress security team;
and some less secure sanitize_file_name edge cases reported by Peter
Westwood of the WordPress security team.