WordPress 5.3.1 was released on December 13 and contains 46 fixes/enhancements and some security fixes. WordPress 5.3 and earlier are affected by this vulnerability and there are fixes for older versions of WordPress as well. You should install this update as soon as possible to protect your site against exploits.
Security fixes
- Unprivileged user could make a post sticky via the REST API.
- Cross-site scripting (XSS) could be stored in well-crafted links.
- Wp_kses_bad_protocol() has been hardened to ensure that it is aware of the named colon attribute.
- A stored XSS vulnerability using block editor content was fixed.
Maintenance fixes
Administration
- Improvements to admin form controls height and alignment standardization.
- Dashboard widget links accessibility and alternate color scheme readability issues fixed.
Block editor
- Edge scrolling issues and intermittent JavaScript issues were fixed.
Bundled themes
- Add customizer option to show/hide author bio.
- Replace JS based smooth scroll with CSS.
- Fixed Instagram embed CSS.
Date/time
- Improve non-GMT dates calculation.
- Fixed date format output in specific languages.
- get_permalink() is now more resilient against PHP timezone changes.
Embeds
- Removed CollegeHumor oEmbed provider as the service doesn’t exist anymore.
- External library sodium_compat has been updated.
Site health
- Now allows the remind interval for the admin email verification to be filtered.
Uploads
- Now avoids thumbnails overwriting other uploads when filename matches.
- PNG images are excluded from scaling after upload.
Users
- Ensure administration email verification uses the user’s locale instead of the site locale.
Remember to create a backup before installing updates
