Category: Security

WordPress 5.9.2 is now available!

This security and maintenance release features one bug fix in addition to three security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.9.2 is a security and maintenance release. The next major release will be version 6.0.

You can download WordPress 5.9.2 from WordPress.org, or by visiting your Dashboard → Updates and clicking “Update Now”.

If you have sites that support automatic background updates, they’ve already started the update process.

For more information, browse the full list of changes on Trac, or check out the version 5.9.2 HelpHub documentation page.

Thanks and props!

The 5.9.2 release was led by Jb Audras, with the help of Jorge Costa on package updates, Sergey Biryukov on mission control, and David Baumwald on backport commits.

In addition to the release squad members mentioned above, thank you to everyone who helped make WordPress 5.9.2 happen:

Alan Jacob Mathew, Alex Concha, André, Anton Vlasenko, David Baumwald, ehtis, Jb Audras, Jorge Costa, Peter Wilson, Sergey Biryukov, Tonya Mork, and ironprogrammer.

Props @davidbaumwald and @sergeybiryukov for peer reviewing.

This security release features four security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.8.3 is a short-cycle security release. The next major release will be version 5.9, which is already in the Release Candidate stage.

You can update to WordPress 5.8.3 by downloading from WordPress.org or by visiting your Dashboard → Updates and clicking “Update Now”.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

Four security issues affect WordPress versions between 3.7 and 5.8. If you haven’t yet updated to 5.8, all WordPress versions since 3.7 have also been updated to fix the following security issues (except where noted otherwise):

• Props to Karim El Ouerghemmi and Simon Scannell of SonarSource for disclosing an issue with stored XSS through post slugs.
• Props to Simon Scannell of SonarSource for reporting an issue with Object injection in some multisite installations.
• Props to ngocnb and khuyenn from GiaoHangTietKiem JSC for working with Trend Micro Zero Day Initiative on reporting a SQL injection vulnerability in WP_Query.
• Props to Ben Bidner from the WordPress security team for reporting a SQL injection vulnerability in WP_Meta_Query (only relevant to versions 4.1-5.8). 

Thank you to all of the reporters above for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked. Thank you to the members of the WordPress security team for implementing these fixes in WordPress.

For more information, check out the 5.8.3 HelpHub documentation page.

Thanks and props!

The 5.8.3 release was led by @desrosj and @circlecube.

In addition to the security researchers and release squad members mentioned above, thank you to everyone who helped make WordPress 5.8.3 happen:

Alex Concha, Dion Hulse, Dominik Schilling, ehtis, Evan Mullins, Jake Spurlock, Jb Audras, Jonathan Desrosiers, Ian Dunn, Peter Wilson, Sergey Biryukov, vortfu, and zieladam.

WordPress 5.8.2 is now available!

This security and maintenance release features 2 bug fixes in addition to 1 security fix. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.2 have also been updated.

WordPress 5.8.2 is a small focus security and maintenance release. The next major release will be version 5.9.

You can download WordPress 5.8.2 by downloading from WordPress.org, or by visiting your Dashboard → Updates and clicking “Update Now”. If you have sites that support automatic background updates, they’ve already started the update process.

For more information, browse the full list of changes on Trac, or check out the version 5.8.2 HelpHub documentation page.

Thanks and props!

The 5.8.2 release was led by Jonathan Desrosiers and Evan Mullins.

In addition to the release squad members mentioned above, thank you to everyone who helped make WordPress 5.8.2 happen: Ari Stathopoulos, Bradley Taylor, davidwebca, Evan Mullins, Greg Ziółkowski, Jonathan Desrosiers, Juliette Reinders Folmer, Mukesh Panchal, Sergey Biryukov, shimon246, and Yui.

WordPress 5.8.1 is now available!

This security and maintenance release features 60 bug fixes in addition to 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.4 have also been updated.

WordPress 5.8.1 is a short-cycle security and maintenance release. The next major release will be version 5.9.

You can download WordPress 5.8.1 by downloading from WordPress.org, or by visiting your Dashboard → Updates and clicking “Update Now”.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

Three security issues affect WordPress versions between 5.4 and 5.8. If you haven’t yet updated to 5.8, all WordPress versions since 5.4 have also been updated to fix the following security issues:

• Props to @mdawaffe, a member of the WordPress Security Team, for their work fixing a data exposure vulnerability within the REST API.
• Props to Michał Bentkowski of Securitum for reporting a XSS vulnerability in the block editor.
• The Lodash library has been updated to version 4.17.21 in each branch to incorporate upstream security fixes.

In addition to these issues, the security team would like to thank the following people for reporting vulnerabilities during the WordPress 5.8 beta testing period, allowing them to be fixed prior to release:

• Props to Evan Ricafort for reporting a XSS vulnerability in the block editor discovered during the 5.8 release’s beta period.
• Props to Steve Henty for reporting a privilege escalation issue in the block editor.

Thank you to all of the reporters for privately disclosing the vulnerabilities. This gave the WordPress security team time to fix the vulnerabilities before WordPress sites could be attacked.

For more information, browse the full list of changes on Trac, or check out the version 5.8.1 HelpHub documentation page.

Thanks and props!

The 5.8.1 release was led by Jonathan Desrosiers and Evan Mullins.

In addition to the security researchers and release squad members mentioned above, thank you to everyone who helped make WordPress 5.8.1 happen: 2linctools, Adam Zielinski, Alain Schlesser, Alex Lende, alexstine, AlGala, André, Andrei Draganescu, Andrew Ozz, Ankit Panchal, Anthony Burchell, Anton Vlasenko, Ari Stathopoulos, Bruno Ribaric, Carolina Nymark, Daisy Olsen, Daniel Richards, Daria, David Anderson, David Biňovec, David Herrera, Dominik Schilling, Ella van Durpe, Enchiridion, Evan Mullins, Gary Jones, George Mamadashvili, Greg Ziółkowski, Héctor Prieto, ianmjones, Jb Audras, Jeff Bowen, Joe Dolson, Joen A., John Blackbourn, Jonathan Desrosiers, JuanMa Garrido, Juliette Reinders Folmer, Kai Hao, Kapil Paul, Kerry Liu, Kevin Fodness, Marcus Kazmierczak, Mark-k, Matt, Michael Adams (mdawaffe), Mike Schroder, moch11, Mukesh Panchal, Nik Tsekouras, Paal Joachim Romdahl, Pascal Birchler, Paul Bearne, Paul Biron, Peter Wilson, Petter Walbø Johnsgård, Radixweb, Rahul Mehta, ramonopoly, ravipatel, Riad Benguella, Robert Anderson, Rodrigo Arias, Sanket Chodavadiya, Sergey Biryukov, Stephen Bernhardt, Stephen Edgar, Steve Henty, terraling, Timothy Jacobs, tmatsuur, TobiasBg, Tonya Mork, Toro_Unit (Hiroshi Urabe), Vlad T, wb1234, and WFMattR.

WordPress 5.7.2 is now available.

This security release features one security fix. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.7.2 is a short-cycle security release. The next major release will be version 5.8.

You can update to WordPress 5.7.2 by downloading from WordPress.org, or by visiting your Dashboard → Updates and clicking “Update Now”.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

One security issue affecting WordPress versions between 3.7 and 5.7. If you haven’t yet updated to 5.7, all WordPress versions since 3.7 have also been updated to fix the following security issue:

• Object injection in PHPMailer, CVE-2020-36326 and CVE-2018-19296.

Thank you to the members of the WordPress security team for implementing these fixes in WordPress.

For more information refer to the version 5.7.2 HelpHub documentation page.

Thanks and props!

The 5.7.2 release was led by @peterwilsoncc and @audrasjb.

Thank you to everyone who helped make WordPress 5.7.2 happen: @audrasjb, @ayeshrajans, @desrosj, @dd32, @peterwilsoncc, @SergeyBiryukov, and @xknown.

WordPress 5.7.1 is now available!

This security and maintenance release features 26 bug fixes in addition to two security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 4.7 have also been updated.

WordPress 5.7.1 is a short-cycle security and maintenance release. The next major release will be version 5.8.

You can download WordPress 5.7.1 by downloading from WordPress.org, or by visiting your Dashboard → Updates and clicking “Update Now”.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

Two security issues affect WordPress versions between 4.7 and 5.7. If you haven’t yet updated to 5.7, all WordPress versions since 4.7 have also been updated to fix the following security issues:

• Thank you SonarSource for reporting an XXE vulnerability within the media library affecting PHP 8.
• Thank you Mikael Korpela for reporting a data exposure vulnerability within the REST API.

Thank you to all of the reporters for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked.

Props to Adam Zielinski, Pascal Birchler, Peter Wilson, Juliette Reinders Folmer, Alex Concha, Ehtisham Siddiqui, Timothy Jacobs and the WordPress security team for their work on these issues.

For more information, browse the full list of changes on Trac, or check out the version 5.7.1 HelpHub documentation page.

Thanks and props!

The 5.7.1 release was led by @peterwilsoncc and @audrasjb.

In addition to the security researchers and release squad members mentioned above, thank you to everyone who helped make WordPress 5.7.1 happen:

99w, Adam Silverstein, Andrew Ozz, annalamprou, anotherdave, Ari Stathopoulos, Ayesh Karunaratne, bobbingwide, Brecht, Daniel Richards, David Baumwald, dkoo, Dominik Schilling, dragongate, eatsleepcode, Ella van Durpe, Erik, Fabian Pimminger, Felix Arntz, Florian TIAR, gab81, Gal Baras, Geoffrey, George Mamadashvili, Glen Davies, Greg Ziółkowski, grzim, Ipstenu (Mika Epstein), Jake Spurlock, Jayman Pandya, Jb Audras, Joen A., Johan Jonk Stenström, Johannes Kinast, John Blackbourn, John James Jacoby, Jonathan Desrosiers, Josee Wouters, Joy, k3nsai, Kelly Choyce-Dwan, Kerry Liu, Marius L. J., Mel Choyce-Dwan, Mikhail Kobzarev, mmuyskens, Mukesh Panchal, nicegamer7, Otshelnik-Fm, Paal Joachim Romdahl, palmiak, Pascal Birchler, Peter Wilson, pwallner, Rachel Baker, Riad Benguella, Rinat Khaziev, Robert Anderson, Roger Theriault, Sergey Biryukov, Sergey Yakimov, SirStuey, stefanjoebstl, Stephen Bernhardt, Sumit Singh, Sybre Waaijer, Synchro, Terri Ann, tigertech, Timothy Jacobs, tmatsuur, TobiasBg, Tonya Mork, Toru Miki, Ulrich, and Vlad T.

WordPress 5.5.2 is now available!

For more information, please read the official announcement post.