WordPress 5.2.4 Release Addresses Several Security Issues

October 15, 2019
wordpress-5-2-4-release-addresses-several-security-issues Theme Builder Layout

The core WordPress team released version 5.2.4 of WordPress on October 14. The release addresses six security issues that were all privately reported through WordPress’ responsible disclosure procedure.

Like any security release, users should update immediately to the latest version to keep their sites secure.

For those with automatic updates enabled, the new version is already rolling out to sites. All major branches of WordPress from version 3.7 to 5.2 received the new security fixes. If automatic updates are not enabled, users should update from the “Updates” screen under “Dashboard” in the WordPress admin. Otherwise, users can download WordPress from the release archive and manually run an update to make sure their site is not at risk to what are now publicly-known vulnerabilities.

In the release announcement, the following security issues were noted. They were corrected in all updated versions.

  • Stored cross-site scripting (XSS) could be added from the Customizer screen.
  • An issue that allowed stored XSS to inject JavaScript into <style> tags.
  • A bug that allowed unauthenticated posts to be viewed.
  • A method to use the Vary: Origin header to poison the cache of JSON GET requests (REST API).
  • A server-side request forgery (SSRF) with how URLs are validated.
  • Issues with referrer validation in the WordPress admin.

For developers who want to dive more into the code changes, the changeset is available on GitHub. Most changes should not affect plugins or themes. However, it is worth noting that the static query property was removed in this release. This removal affects both the WP and WP_Query classes. Developers should test their plugins against this version to make sure nothing is broken if their projects rely on this property. It is unlikely that many plugins rely on this query variable.

WordPress 5.2.4 also includes a couple of other bug fixes. One removes a line of code that makes an extra call to the wp-sanitize.js script in the script loader. The second fix addresses an issue where the directory path wasn’t normalized on Windows systems, which led to the wp_validate_redirect() function removing the domain. This fixes a bug created in WordPress 5.2.3.

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let’s discuss your ideas.

Source

Share this article:
 




eHost-square-ad Theme Builder Layout

We’re listening.

Have something to say about this article? Share it with us on Facebook, Twitter or LinkedIn:

SHARE IT HERE:

Related Posts

wp-agency-summit-kicks-off-december-6 Theme Builder Layout

WP Agency Summit Kicks Off December 6

WP Agency Summit, a virtual event for WordPress agencies, will kick off December 6, 2019, and last through December 16. The event will feature daily sessions by over 30 WordPress professionals that are designed to help agencies grow their business. Each session will...

5-seo-copywriting-mistakes-you-should-avoid Theme Builder Layout

5 SEO copywriting mistakes you should avoid

Melina Reintjens After getting her Master’s in Art & Visual Culture, Melina worked in the cultural sector, editing and writing all kinds of texts. She enjoys applying her writing skills and eye for detail in the blog team at Yoast. Copywriting is a crucial element...

how-to-serve-webp-images-instead-of-jpg-or-png-with-wordpress Theme Builder Layout

How to Serve WebP Images instead of JPG or PNG with WordPress

Google sits at the top of the internet food chain. The company influences (or dictates) a lot of what happens online. And their new image format, WebP, continues that trend. With page load speed being increasingly important (primarily because of Google Page Rank),...

Get ALL Your SEO, WordPress & Divi News

Join Our Daily Roundup

SEO News and More

SEO News and More

Subscribe ToThe Weekly SEO Trade News Updates

Get the latest SEO, SEM and SMM marketing intel, tips and tricks from one of the best SEO Gurus online. 

Every Tuesday morning we send out an aggregated email listing all new posts on SEO Trade News.

Excellent! Now check your email to confirm your subscription.