Categories: WordPress News

New Security Fixes Arrive in WordPress 5.2.4 Update

WordPress 5.2.4 is now available and the release addresses 6 security fixes. All the security vulnerabilities were reported by WordPress community people, in a standard practice where they privately disclose the security problems to the WordPress core development team.

Earlier versions of WordPress, from 3.7 to 5.2, have all received the following fixes in 5.2.4 release:

  1. An issue where stored XSS (cross-site scripting) could be added via the Customizer screen
  2. A bug through which you can easily view unauthenticated posts
  3. An issue which let stored XSS to inject Javascript into <style> tags
  4. A method using Vary: Origin header to poison the cache of JSON GET requests
  5. A server-side request forgery(SSRF) in the way that URLs are validated
  6. Issues related to referrer validation in the admin

The following are the files where code changes are placed:

  • /wp-includes/class-wp.php
  •  /wp-includes/class-wp-query.php
  •  /wp-includes/functions.php
  •  /wp-includes/http.php
  •  /wp-includes/pluggable.php
  •  /wp-includes/rest-api.php

For those who want to dive in the codings can find the complete code changes on GitHub.

This version is fully focused on security fixes. However, some other changes are also introduced in this release like in the script loader where they remove this line of code:

( $scripts->add( 'wp-sanitize', "/wp-includes/js/wp-sanitize$suffix.js", array( 'jquery' ), false, 1 );

It was removed since the code above makes an extra call to wp-sanitize.js.

Secondly, some lines of code have been added in script pluggable and script redirect to normalize the Windows path when validating the location for relative URLs.

If automatic updates are enabled on your WordPress, then this version may already be installed on your site. If not, then you can install this latest version by updating your existing WordPress version by going to Dashboard > Updates > Update Now menu in your site’s admin area. Another way is to download WordPress from the release archive. WordPress 5.2.4 is a short-cycle security release with the next major release being version 5.3.

For more WordPress updates and news, follows us on Twitter & Facebook.

Farhan Ayub

Farhan is a community manager at WPblog. He loves to work with WordPress and has a passion for web development. Mostly, he spends his time interacting with the people in the WordPress community. Apart from his work life, Farhan spends his time gaming and playing sports. Feel free to contact him at Farhan[at]

Published by
Farhan Ayub

Recent Posts

How To Buy A Domain That’s Already Registered In 2019

Your domain name is important. Not only is it a crucial component of your brand, it serves many practical reasons…

1 day ago

How to Add Top WordPress Google Fonts Manually & With Plugin

Let’s learn how to add Google fonts in WordPress. Your website’s design plays an integral part in delivering a great…

2 days ago

WordPress 5.3 “Kirk”: PHP 7.4 Support, Refined Block Editor & Security Enhancements

After much fanfare, it’s finally here. WordPress 5.3 “Kirk”, named after the jazz instrumentalist, Rahsaan Roland Kirk, brings more polished…

3 days ago

WPblog Holiday Season Giveaway!

It’s that time of the year again when the holiday frenzy is in the air and that means one thing…

4 days ago

How to Reset Your WordPress Website via WP Reset Plugin

Life doesn’t give you an undo button to rectify your mistakes. But fortunately, WordPress does. If you ever want your…

1 week ago

Inspirational Entreprenuer Akshat Chaudhary in Conversation With WPblog

When WordPress was launched more than 15 years ago, it not only revolutionized web development but it also opened doors…

1 week ago