
WordPress 5.4.2 is now available!
This security and maintenance release includes 23 fixes and enhancements. Additionally, it adds many security fixes – see the list below.
These bugs affect WordPress 5.4.1 and earlier versions. Version 5.4.2 fixes these issues, so you need to upgrade.
If you haven't updated to 5.4, there are also updated versions for 5.3 and earlier that can fix bugs for you.
Security Update
WordPress 5.4 and earlier versions are affected by the following bugs, which have been fixed in version 5.4.2. If you have not updated to 5.4, there are also updated versions for 5.3 and earlier to address security issues.
- Props to Sam Thomas (jazzy2fives) for reporting an XSS issue where authenticated low-privilege users could add JavaScript to posts in the block editor.
- Props to Luigi – (gubello.me) for discovering an XSS issue where authenticated users with upload permissions could add JavaScript in media files.
- Props to Ben Bidner of the WordPress security team for finding an open redirect issue in wp_validate_redirect().
- Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme upload.
- 向Props to Simon Scannell of RIPS Technologies for discovering an issue where setting screen options could be abused by plugins to cause privilege escalation.
- 向Carolina NymarkThe suggestion is to identify an issue where comments on password-protected posts and pages can be displayed under certain circumstances.
Thanks to all reportersfor privately disclosing these vulnerabilities. This gives the security team time to fix vulnerabilities that could attack WordPress sites.
A maintenance update was also deployed to versions 5.1, 5.2, and 5.3. For more information, seerelated developer notes。
You canon TracbrowseChangethefull list。
For more information, browse the full list of changes on Trac, or check out5.4.2versiondocumentation page。
WordPress 5.4.2 is a short-term maintenance release. The next major version will beversion 5.5。
You can download WordPress 5.4.2 from the button at the top of this page, or visitDashboard → Updatesand clickUpdate Now。
If your site supports automatic background updates, they have already started the update process.