WordPress 5.4.2 which is a short-cycle maintenance release rolled out with 23 fixes, enhancements, and number of security fixes. WordPress versions 5.4 and earlier are affected by the following bugs, which are fixed in version 5.4.2. The bugs have also fixed in the updated versions of 5.3 and earlier.
Security updates
- Props to Sam Thomas (jazzy2fives) for finding an XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor.
- Props to Luigi – (gubello.me) for discovering an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files.
- Props to Ben Bidner of the WordPress Security Team for finding an open redirect issue in wp_validate_redirect().
- Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme uploads.
- Props to Simon Scannell of RIPS Technologies for finding an issue where set-screen-option can be misused by plugins leading to privilege escalation.
- Props to Carolina Nymark for discovering an issue where comments from password-protected posts and pages could be displayed under certain conditions.
WordPress users can download WordPress 5.4.2 from the button at the top of this page, or visit your Dashboard → Updates and click Update Now. The next major release will be version 5.5.