The core WordPress team released version 5.2.4 of WordPress on October 14th 2019. The release addresses six security issues that were all privately reported through WordPress’ responsible disclosure procedure.
Like any security release, users should update immediately to the latest version to keep their sites secure.
All major branches of WordPress from version 3.7 to 5.2 received the new security fixes. If automatic updates are not enabled, users should update from the “Updates” screen under “Dashboard” in the WordPress admin. Otherwise, users can download WordPress from the release archive and manually run an update to make sure their site is not at risk to what are now publicly-known vulnerabilities.
All O’Brien Media customers with website support agreements have now had their websites updated to WordPress 5.2.4 and any plugin and theme updates installed to keep sites secure.
Issue details
In the release announcement, the following security issues were noted. They were corrected in all updated versions.
- Stored cross-site scripting (XSS) could be added from the Customizer screen.
- An issue that allowed stored XSS to inject JavaScript into <style> tags.
- A bug that allowed unauthenticated posts to be viewed.
- A method to use the Vary: Origin header to poison the cache of JSON GET requests (REST API).
- A server-side request forgery (SSRF) with how URLs are validated.
- Issues with referrer validation in the WordPress admin.