WordPress 5.4.2 Security and Maintenance Release

WordPress 5.4.2 is now available!

security and maintenance releases have 23 fixes and enhancements. Plus, it adds a number of security improvements-see the list below.

This bug affects versions of WordPress 5.4.1 and earlier; 5.4.2 version fixes them, so you’ll want to upgrade.

If you have not updated to 5.4, there are also updated versions of the 5.3 and earlier that fix bugs for you.

Security update
WordPress version 5.4 and earlier are affected by these bugs, which are fixed in version 5.4.2. If you have not updated to 5.4, there are also updated versions of the 5.3 and earlier that fix security issues.

• Props to Sam Thomas (jazzy2fives) for finding an XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor.
• Props to Luigi – (gubello.me) for discovering an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files.
• Props to Ben Bidner of the WordPress Security Team for finding an open redirect issue in wp_validate_redirect().
• Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme uploads.
• Props to Simon Scannell of RIPS Technologies for finding an issue where set-screen-option can be misused by plugins leading to privilege escalation.
• Props to Carolina Nymark for discovering an issue where comments from password-protected posts and pages could be displayed under certain conditions.

A maintenance update also deployed to version 5.1, 5.2 and 5.3. See note related developer for more information.

You can browse the complete list of changes in Trac.

For more info, browse the full list of changes in Trac or check the documentation page Version 5.4.2.

WordPress 5.4.2 is a maintenance release of short cycles. The next major release will be version 5.5.

You can download WordPress 5.4.2 from the button at the top of this page, or visit Dashboard → Updates and click Update Now.

If you have a site that supports automatic background updates, they have started the update process.

security and maintenance releases have 23 fixes and enhancements. Plus, it adds a number of security improvements-see the list below.

This bug affects versions of WordPress 5.4.1 and earlier; 5.4.2 version fixes them, so you’ll want to upgrade.