New Security Fixes Arrive in WordPress 5.2.4 Update
WordPress 5.2.4 is now available and the release addresses 6 security fixes. All the security vulnerabilities were reported by WordPress community people, in a standard practice where they privately disclose the security problems to the WordPress core development team.
Earlier versions of WordPress, from 3.7 to 5.2, have all received the following fixes in 5.2.4 release:
- An issue where stored XSS (cross-site scripting) could be added via the Customizer screen
- A bug through which you can easily view unauthenticated posts
- A method using Vary: Origin header to poison the cache of JSON GET requests
- A server-side request forgery(SSRF) in the way that URLs are validated
- Issues related to referrer validation in the admin
The following are the files where code changes are placed:
For those who want to dive in the codings can find the complete code changes on GitHub.
This version is fully focused on security fixes. However, some other changes are also introduced in this release like in the script loader where they remove this line of code:
( $scripts->add( 'wp-sanitize', "/wp-includes/js/wp-sanitize$suffix.js", array( 'jquery' ), false, 1 );
It was removed since the code above makes an extra call to wp-sanitize.js.
Secondly, some lines of code have been added in script pluggable and script redirect to normalize the Windows path when validating the location for relative URLs.
If automatic updates are enabled on your WordPress, then this version may already be installed on your site. If not, then you can install this latest version by updating your existing WordPress version by going to Dashboard > Updates > Update Now menu in your site’s admin area. Another way is to download WordPress from the release archive. WordPress 5.2.4 is a short-cycle security release with the next major release being version 5.3.
Subscribe to Get a FREE WordPress Ebook Right in Your Inbox
WPblog provides the complete guide to launch your WordPress website completely FREE!