WordPress 5.2.4 was released on October 14 and fixes a few vulnerabilities in WordPress. This update is available for all versions of WordPress since 3.7 and fixes the following bugs:
- An issue where stored XSS (cross-site scripting) could be added via the Customizer.
- A method of viewing unauthenticated posts was disclosed.
- A vulnerability which allowed stored XSS to inject Javascript into style tags is now closed.
- A method to poison the cache of JSON GET requests via the Vary: Origin header is disclosed.
- A bug allowed a server-side request forgery in the way that URLs are validated.
- An issue related to referrer validation in the admin was discovered and closed.
Remember to create a backup before installing an update.
