WordPress < 4.5.2 Multiple Vulnerabilities (ImageTragick)

Versions of WordPress prior to 4.5.2 are affected by multiple vulnerabilities :

• A flaw exists that is triggered when using the ‘ephemeral’ pseudo protocol, which may allow a context-dependent attacker to delete arbitrary files.
• A flaw exists in the ‘ms’ pseudo protocol that is triggered when moving image files. This may allow a context-dependent attacker to move arbitrary files to arbitrary locations.
• A flaw exists in the ‘label’ pseudo protocol that is triggered during the handling of a specially crafted image. This may allow a context-dependent attacker to read arbitrary files.
• A flaw known as ‘ImageTragick’ is triggered as shell characters are not properly filtered in filenames passed to delegate commands. This may allow a context-dependent attacker to inject arbitrary shell commands and subsequently execute arbitrary code.
• ‘MediaElement.js’ contains a flaw that allows a reflected cross-site scripting (XSS) attack. The program does not validate input before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.
• Plupload contains an unspecified same-origin method execution flaw. No further details have been provided.