This week’s launch of WordPress 5.4.2 includes dozens of bug fixes

WordPress’s latest release comes bundled with 23 fixes and enhancements, including patches for six moderate risk cross-site scripting (XSS) and other security bugs.

WordPress 5.4.2, released on Wednesday (June 10), addresses a number of security flaws that are present in versions 5.4 and earlier of the open source content management system.

Notable security risks resolved in the latest WordPress core release all require an authenticated attacker to stand any chance of working.

This means sysadmins who avoid let people self-register or give access to unknown people are likely unaffected.

Even so, updating software is still recommended, and for many this process will occur automatically.

XSS marks the spot

One of the XSS issues addressed by the update meant that authenticated users with low privileges were able to add JavaScript to posts in the block editor.

The WordPress core security flaw was discovered by security researcher Sam Thomas.

A separate XSS issue meant that authenticated users with upload permissions were able to add JavaScript to media files.

And researcher Nrimo Ing Pandum found an authenticated XSS issue via theme uploads.

But the release is not just about XSS bugs. The update also resolves an open redirect issue in wp_validate_redirect(), discovered by Ben Bidner of the WordPress Security Team.

An issue where comments from password-protected posts and pages could be displayed under certain conditions has also been resolved.

Plugin peril

Lastly the fix is also in for a privilege escalation flaw that meant the set-screen-option can be misused by plugins, discovered by security researcher Simon Scannell of RIPS Technologies.

Scannell told The Daily Swig: “The vulnerability was found when I did my research about the WordPress core and its underlying logic. The vulnerability was triggerable through certain plugins.

“At the time, there were a couple resulting in privilege escalation in hundreds of thousands of sites.”

Scannell added: “Requirement was any user with access to the site’s admin dashboard, which is possible with plugins like bbPress. An overlapse of these two plugins could result in an unprivileged forum user taking over the site.”

These various security fixes are summarised in an advisory from the WordPress security team.

WordPress 5.4.2 is a maintenance release. The next major release will be version 5.5, which is targeted for a mid-August rollout.

For those users yet to upgrade to get on the 5.4 release train, there are also updated versions of 5.3 and earlier that fix the same security issues.


RELATED WordPress security: Critical flaw fixed in bbPress forum plugin