The core WordPress team released version 5.2.4 of WordPress on October 14. The release addresses six security issues that were all privately reported through WordPress’ responsible disclosure procedure.

Like any security release, users should update immediately to the latest version to keep their sites secure.

For those with automatic updates enabled, the new version is already rolling out to sites. All major branches of WordPress from version 3.7 to 5.2 received the new security fixes. If automatic updates are not enabled, users should update from the “Updates” screen under “Dashboard” in the WordPress admin. Otherwise, users can download WordPress from the release archive and manually run an update to make sure their site is not at risk to what are now publicly-known vulnerabilities.

In the release announcement, the following security issues were noted. They were corrected in all updated versions.

  • Stored cross-site scripting (XSS) could be added from the Customizer screen.
  • An issue that allowed stored XSS to inject JavaScript into <style> tags.
  • A bug that allowed unauthenticated posts to be viewed.
  • A method to use the Vary: Origin header to poison the cache of JSON GET requests (REST API).
  • A server-side request forgery (SSRF) with how URLs are validated.
  • Issues with referrer validation in the WordPress admin.

For developers who want to dive more into the code changes, the changeset is available on GitHub. Most changes should not affect plugins or themes. However, it is worth noting that the static query property was removed in this release. This removal affects both the WP and WP_Query classes. Developers should test their plugins against this version to make sure nothing is broken if their projects rely on this property. It is unlikely that many plugins rely on this query variable.

WordPress 5.2.4 also includes a couple of other bug fixes. One removes a line of code that makes an extra call to the wp-sanitize.js script in the script loader. The second fix addresses an issue where the directory path wasn’t normalized on Windows systems, which led to the wp_validate_redirect() function removing the domain. This fixes a bug created in WordPress 5.2.3.