Categories: WordPress News

New Security Fixes Arrive in WordPress 5.2.4 Update

WordPress 5.2.4 is now available and the release addresses 6 security fixes. All the security vulnerabilities were reported by WordPress community people, in a standard practice where they privately disclose the security problems to the WordPress core development team.

Earlier versions of WordPress, from 3.7 to 5.2, have all received the following fixes in 5.2.4 release:

  1. An issue where stored XSS (cross-site scripting) could be added via the Customizer screen
  2. A bug through which you can easily view unauthenticated posts
  3. An issue which let stored XSS to inject Javascript into <style> tags
  4. A method using Vary: Origin header to poison the cache of JSON GET requests
  5. A server-side request forgery(SSRF) in the way that URLs are validated
  6. Issues related to referrer validation in the admin

The following are the files where code changes are placed:

  • /wp-includes/class-wp.php
  •  /wp-includes/class-wp-query.php
  •  /wp-includes/functions.php
  •  /wp-includes/http.php
  •  /wp-includes/pluggable.php
  •  /wp-includes/rest-api.php

For those who want to dive in the codings can find the complete code changes on GitHub.

This version is fully focused on security fixes. However, some other changes are also introduced in this release like in the script loader where they remove this line of code:

( $scripts->add( 'wp-sanitize', "/wp-includes/js/wp-sanitize$suffix.js", array( 'jquery' ), false, 1 );

It was removed since the code above makes an extra call to wp-sanitize.js.

Secondly, some lines of code have been added in script pluggable and script redirect to normalize the Windows path when validating the location for relative URLs.

If automatic updates are enabled on your WordPress, then this version may already be installed on your site. If not, then you can install this latest version by updating your existing WordPress version by going to Dashboard > Updates > Update Now menu in your site’s admin area. Another way is to download WordPress from the release archive. WordPress 5.2.4 is a short-cycle security release with the next major release being version 5.3.

For more WordPress updates and news, follows us on Twitter & Facebook.

Farhan Ayub

Farhan is a community manager at WPblog. He loves to work with WordPress and has a passion for web development. Mostly, he spends his time interacting with the people in the WordPress community. Apart from his work life, Farhan spends his time gaming and playing sports. Feel free to contact him at Farhan[at]

Published by
Farhan Ayub

Recent Posts

Beginner’s Guide to WordPress SEO – WordPress SEO Basics

This is the second installment of the series on SEO for WordPress. In the previous…

6 months ago

Top Rated Code Editors For WordPress Developers in 2020

Over the years, writing code has become an art in itself. Today, developers have access…

9 months ago

WooCommerce 4.0 – Everything You Need to Know!

WooCommerce 4.0 is here and there are some exciting updates that come with it. This…

9 months ago

8 Best WordPress Photo Gallery Plugins for 2020 (Compared)

In the world of the internet filled with words, images stand out images and can,…

9 months ago

6 Best WordPress Firewall Plugins for 2020 (Compared)

Our websites are more vulnerable to hackers and brute force attacks than they have ever…

9 months ago

9 Best WordPress Survey And Poll Plugins for 2020 (Compared)

Regardless of the business you’re running, it’s always helpful to know what your visitors are…

9 months ago