WordPress 5.4.2 was released on June 10 and contains 23 fixes and some security enhancements.
Security fixes
- XSS allowed low privileged users to add JavaScript to posts in the block editor or to add JavaScript to media files.
- Open redirect issue in wp_validate_redirect().
- XSS issue via theme uploads.
- Issue where set-screen-option can be misused by plugins leading to privilege escalation.
- Vulnerabilities where comments from password-protected posts and pages could be displayed under certain conditions.
WordPress 5.1, 5.2 and 5.3 also got those fixes as an update.
A complete list of all commits in this updtate can be found on wordpress.org.
Remember to always create a backup before updating.
Picture courtesy of James Sutton.
