WordPress 5.4.2 released

It is time to update WordPress to version 5.4.2 released on June 10th, 2020.

Five security issues are fixed in the new version together with twenty-two bug and regression fixes.

The security issues affect WordPress versions 5.4 and earlier; version 5.4.2 fixes them, so you’ll want to upgrade. If you haven’t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the security issues.

  • Props to Sam Thomas (jazzy2fives) for finding an XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor
  • Props to Luigi – (gubello.me) for discovering an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files.
  • Props to Ben Bidner of the WordPress Security Team for finding an open redirect issue in wp_validate_redirect().
  • Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme uploads
  • Props to Simon Scannell of RIPS Technologies for finding an issue where set-screen-option can be misused by plugins leading to privilege escalation
  • Props to Carolina Nymark for discovering an issue where comments from password-protected posts and pages could be displayed under certain conditions.

More info