WordPress 5.8.3 Security Release

This security release features four security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.8.3 is a short-cycle security release. The next major release will be version 5.9, which is already in the Release Candidate stage.

You can update to WordPress 5.8.3 by downloading from WordPress.org or by visiting your Dashboard → Updates and clicking “Update Now”.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

Four security issues affect WordPress versions between 3.7 and 5.8. If you haven’t yet updated to 5.8, all WordPress versions since 3.7 have also been updated to fix the following security issues (except where noted otherwise):

  • Props to Karim El Ouerghemmi and Simon Scannell of SonarSource for disclosing an issue with stored XSS through post slugs.
  • Props to Simon Scannell of SonarSource for reporting an issue with Object injection in some multisite installations.
  • Props to ngocnb and khuyenn from GiaoHangTietKiem JSC for working with Trend Micro Zero Day Initiative on reporting a SQL injection vulnerability in WP_Query.
  • Props to Ben Bidner from the WordPress security team for reporting a SQL injection vulnerability in WP_Meta_Query (only relevant to versions 4.1-5.8). 

Thank you to all of the reporters above for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked. Thank you to the members of the WordPress security team for implementing these fixes in WordPress.

For more information, check out the 5.8.3 HelpHub documentation page.

Thanks and props!

The 5.8.3 release was led by @desrosj and @circlecube.

In addition to the security researchers and release squad members mentioned above, thank you to everyone who helped make WordPress 5.8.3 happen:

Alex ConchaDion HulseDominik SchillingehtisEvan MullinsJake SpurlockJb AudrasJonathan DesrosiersIan DunnPeter WilsonSergey Biryukovvortfu, and zieladam.

WordPress 5.8.2 Security and Maintenance Release

WordPress 5.8.2 is now available!

This security and maintenance release features 2 bug fixes in addition to 1 security fix. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.2 have also been updated.

WordPress 5.8.2 is a small focus security and maintenance release. The next major release will be version 5.9.

You can download WordPress 5.8.2 by downloading from WordPress.org, or by visiting your Dashboard → Updates and clicking “Update Now”. If you have sites that support automatic background updates, they’ve already started the update process.

For more information, browse the full list of changes on Trac, or check out the version 5.8.2 HelpHub documentation page.

Thanks and props!

The 5.8.2 release was led by Jonathan Desrosiers and Evan Mullins.

In addition to the release squad members mentioned above, thank you to everyone who helped make WordPress 5.8.2 happen: Ari StathopoulosBradley TaylordavidwebcaEvan MullinsGreg ZiółkowskiJonathan DesrosiersJuliette Reinders FolmerMukesh PanchalSergey Biryukovshimon246, and Yui.

WordPress 5.8.1 Security and Maintenance Release

WordPress 5.8.1 is now available!

This security and maintenance release features 60 bug fixes in addition to 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.4 have also been updated.

WordPress 5.8.1 is a short-cycle security and maintenance release. The next major release will be version 5.9.

You can download WordPress 5.8.1 by downloading from WordPress.org, or by visiting your Dashboard → Updates and clicking “Update Now”.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

Three security issues affect WordPress versions between 5.4 and 5.8. If you haven’t yet updated to 5.8, all WordPress versions since 5.4 have also been updated to fix the following security issues:

  • Props to @mdawaffe, a member of the WordPress Security Team, for their work fixing a data exposure vulnerability within the REST API.
  • Props to Michał Bentkowski of Securitum for reporting a XSS vulnerability in the block editor.
  • The Lodash library has been updated to version 4.17.21 in each branch to incorporate upstream security fixes.

In addition to these issues, the security team would like to thank the following people for reporting vulnerabilities during the WordPress 5.8 beta testing period, allowing them to be fixed prior to release:

  • Props to Evan Ricafort for reporting a XSS vulnerability in the block editor discovered during the 5.8 release’s beta period.
  • Props to Steve Henty for reporting a privilege escalation issue in the block editor.

Thank you to all of the reporters for privately disclosing the vulnerabilities. This gave the WordPress security team time to fix the vulnerabilities before WordPress sites could be attacked.

For more information, browse the full list of changes on Trac, or check out the version 5.8.1 HelpHub documentation page.

Thanks and props!

The 5.8.1 release was led by Jonathan Desrosiers and Evan Mullins.

In addition to the security researchers and release squad members mentioned above, thank you to everyone who helped make WordPress 5.8.1 happen: 2linctoolsAdam ZielinskiAlain SchlesserAlex LendealexstineAlGalaAndréAndrei DraganescuAndrew OzzAnkit PanchalAnthony BurchellAnton VlasenkoAri StathopoulosBruno RibaricCarolina NymarkDaisy OlsenDaniel RichardsDariaDavid AndersonDavid BiňovecDavid HerreraDominik SchillingElla van DurpeEnchiridionEvan MullinsGary JonesGeorge MamadashviliGreg ZiółkowskiHéctor PrietoianmjonesJb AudrasJeff BowenJoe DolsonJoen A.John BlackbournJonathan DesrosiersJuanMa GarridoJuliette Reinders FolmerKai HaoKapil PaulKerry LiuKevin FodnessMarcus KazmierczakMark-kMattMichael Adams (mdawaffe)Mike Schrodermoch11Mukesh PanchalNik TsekourasPaal Joachim RomdahlPascal BirchlerPaul BearnePaul BironPeter WilsonPetter Walbø JohnsgårdRadixwebRahul MehtaramonopolyravipatelRiad BenguellaRobert AndersonRodrigo AriasSanket ChodavadiyaSergey BiryukovStephen BernhardtStephen EdgarSteve HentyterralingTimothy JacobstmatsuurTobiasBgTonya MorkToro_Unit (Hiroshi Urabe)Vlad Twb1234, and WFMattR.

WordPress 5.7.2 Security Release

WordPress 5.7.2 is now available.

This security release features one security fix. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.7.2 is a short-cycle security release. The next major release will be version 5.8.

You can update to WordPress 5.7.2 by downloading from WordPress.org, or by visiting your Dashboard → Updates and clicking “Update Now”.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

One security issue affecting WordPress versions between 3.7 and 5.7. If you haven’t yet updated to 5.7, all WordPress versions since 3.7 have also been updated to fix the following security issue:

Thank you to the members of the WordPress security team for implementing these fixes in WordPress.

For more information refer to the version 5.7.2 HelpHub documentation page.

Thanks and props!

The 5.7.2 release was led by @peterwilsoncc and @audrasjb.

Thank you to everyone who helped make WordPress 5.7.2 happen: @audrasjb@ayeshrajans@desrosj@dd32@peterwilsoncc@SergeyBiryukov, and @xknown.

WordPress 5.7.1 Security and Maintenance Release

WordPress 5.7.1 is now available!

This security and maintenance release features 26 bug fixes in addition to two security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 4.7 have also been updated.

WordPress 5.7.1 is a short-cycle security and maintenance release. The next major release will be version 5.8.

You can download WordPress 5.7.1 by downloading from WordPress.org, or by visiting your Dashboard → Updates and clicking “Update Now”.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

Two security issues affect WordPress versions between 4.7 and 5.7. If you haven’t yet updated to 5.7, all WordPress versions since 4.7 have also been updated to fix the following security issues:

  • Thank you SonarSource for reporting an XXE vulnerability within the media library affecting PHP 8.
  • Thank you Mikael Korpela for reporting a data exposure vulnerability within the REST API.

Thank you to all of the reporters for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked.

Props to Adam ZielinskiPascal BirchlerPeter WilsonJuliette Reinders FolmerAlex ConchaEhtisham SiddiquiTimothy Jacobs and the WordPress security team for their work on these issues.

For more information, browse the full list of changes on Trac, or check out the version 5.7.1 HelpHub documentation page.

Thanks and props!

The 5.7.1 release was led by @peterwilsoncc and @audrasjb.

In addition to the security researchers and release squad members mentioned above, thank you to everyone who helped make WordPress 5.7.1 happen:

99wAdam SilversteinAndrew OzzannalamprouanotherdaveAri StathopoulosAyesh KarunaratnebobbingwideBrechtDaniel RichardsDavid BaumwalddkooDominik SchillingdragongateeatsleepcodeElla van DurpeErikFabian PimmingerFelix ArntzFlorian TIARgab81Gal BarasGeoffreyGeorge MamadashviliGlen DaviesGreg ZiółkowskigrzimIpstenu (Mika Epstein)Jake SpurlockJayman PandyaJb AudrasJoen A.Johan Jonk StenströmJohannes KinastJohn BlackbournJohn James JacobyJonathan DesrosiersJosee WoutersJoyk3nsaiKelly Choyce-DwanKerry LiuMarius L. J.Mel Choyce-DwanMikhail KobzarevmmuyskensMukesh Panchalnicegamer7Otshelnik-FmPaal Joachim RomdahlpalmiakPascal BirchlerPeter WilsonpwallnerRachel BakerRiad BenguellaRinat KhazievRobert AndersonRoger TheriaultSergey BiryukovSergey YakimovSirStueystefanjoebstlStephen BernhardtSumit SinghSybre WaaijerSynchroTerri AnntigertechTimothy JacobstmatsuurTobiasBgTonya MorkToru MikiUlrich, and Vlad T.