WordPress 5.4.2 is now available!
This security and maintenance release features 23 fixes and enhancements. Plus, it adds a number of security fixes. If you haven’t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the bugs for you.
WordPress versions 5.4 and earlier are affected by the following bugs, which are fixed in version 5.4.2. If you haven’t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the security issues.
- An XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor.
- Discovered an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files.
- Found an open redirect issue in wp_validate_redirect().
- An authenticated XSS issue via theme uploads.
- An issue where set-screen-optioncan be misused by plugins leading to privilege escalation.
- An issue where comments from password-protected posts and pages could be displayed under certain conditions.
One maintenance update was also deployed to version 5.1, 5.2 and 5.3. For more info, browse the full list of changes on Trac or check out the Version 5.4.2 documentation page. WordPress 5.4.2 is a short-cycle maintenance release. The next major release will be version 5.5.
If you have the auto upgrade activated at your website, this must have been done by now or would be done shortly.