WordPress 5.4.2 Security and Maintenance Release

WordPress 5.4.2 is now available!

This security and maintenance release features 23 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.

These bugs affect WordPress versions 5.4.1 and earlier; version 5.4.2 fixes them, so you’ll want to upgrade.

If you haven’t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the bugs for you.

Security Updates

WordPress versions 5.4 and earlier are affected by the following bugs, which are fixed in version 5.4.2. If you haven’t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the security issues.

  • Props to Sam Thomas (jazzy2fives) for finding an XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor.
  • Props to Luigi – (gubello.me) for discovering an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files.
  • Props to Ben Bidner of the WordPress Security Team for finding an open redirect issue in wp_validate_redirect().
  • Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme uploads.
  • Props to Simon Scannell of RIPS Technologies for finding an issue where set-screen-option can be misused by plugins leading to privilege escalation.
  • Props to Carolina Nymark for discovering an issue where comments from password-protected posts and pages could be displayed under certain conditions.

Thank you to all of the reporters for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked.

One maintenance update was also deployed to versions 5.1, 5.2 and 5.3. See the related developer note for more information.

You can browse the full list of changes on Trac.

For more info, browse the full list of changes on Trac or check out the Version 5.4.2 documentation page.

WordPress 5.4.2 is a short-cycle maintenance release. The next major release will be version 5.5.

You can download WordPress 5.4.2 from the button at the top of this page, or visit your Dashboard → Updates and click Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Thanks and props!

In addition to the security researchers mentioned above, thank you to everyone who helped make WordPress 5.4.2 happen:

Andrea Fercia, argentite, M Asif Rahman, Jb Audras, Ayesh Karunaratne, bdcstr, Delowar Hossain, Rob Migchels, donmhico, Ehtisham Siddiqui, Emilie LEBRUN, finomeno, garethgillman, Giorgio25b, Gabriel Maldonado, Hector F, Ian Belanger, Aaron Jorbin, Mathieu Viet, Javier Casares, Joe McGill, jonkolbert, Jono Alderson, Joy, Tammie Lister, Kjell Reigstad, KT, markusthiel, Mayank Majeji, Mel Choyce-Dwan, mislavjuric, Mukesh Panchal, Nikhil Bhansi, oakesjosh, Dominik Schilling, Arslan Ahmed, Peter Wilson, Carolina Nymark, Stephen Bernhardt, Sam Fullalove, Alain Schlesser, Sergey Biryukov, skarabeq, Daniel Richards, Toni Viemerö, suzylah, Timothy Jacobs, TeBenachi, Jake Spurlock and yuhin.

Equity and the Power of Community

Over the past week, I’ve been thinking a lot about George Floyd, Breonna Taylor, and Ahmaud Arbery. I have been thinking about white supremacy, the injustice that Black women and men are standing up against across the world, and all the injustices I can’t know, and don’t see. 

The WordPress mission is to democratize publishing, and to me, that has always meant more than the freedom to express yourself. Democratizing publishing means giving voices to the voiceless and amplifying those speaking out against injustice. It means learning things that we otherwise wouldn’t. To me, it means that every voice has the ability to be heard, regardless of race, wealth, power, and opportunity. WordPress is a portal to commerce; it is a canvas for identity, and a catalyst for change.

While WordPress as an open source project may not be capable of refactoring unjust judicial systems or overwriting structural inequality, this does not mean that we, the WordPress community, are powerless. WordPress can’t dismantle white supremacy, but the WordPress community can invest in underrepresented groups (whose experiences cannot be substituted for) and hire them equitably. WordPress can’t eradicate prejudice, but the WordPress community can hold space for marginalized voices in our community.

There is a lot of racial, societal, and systemic injustice to fight. At times, change may seem impossible, and certainly, it’s been too slow. But I know in my heart that the WordPress community is capable of changing the world. 

If you would like to learn more about how to make a difference in your own community, here are a few resources I’ve gathered from WordPressers just like you.

The Month in WordPress: May 2020

May was an action-packed month for WordPress! WordPress organizers are increasingly moving WordCamps online, and contributors are taking big steps towards Full Site Editing with Gutenberg. To learn more and get all the latest updates, read on. 


Gutenberg 8.1 and 8.2

Gutenberg 8.1 was released on May 13, followed quickly by Gutenberg 8.2 on May 27. 

  • 8.1 added new block pattern features making it easier to insert desired patterns, along with a new pattern. It also added a button to  collapsed block actions for copying the selected block, which will help touchscreen users or users who don’t use keyboard shortcuts. 
  • 8.2 introduced block pattern categories and a `viewportWidth` property that will be particularly useful for large block patterns. There is also a new content alignment feature, and enhancements to improve the writing experience. 

Both releases include a number of new APIs, enhancements, bug fixes, experiments, new documentation, improvement to code quality, and more! To learn the latest, visit the announcement posts for Gutenberg 8.1 and Gutenberg 8.2.

Want to get involved in building Gutenberg? Follow the Core team blog, contribute to Gutenberg on GitHub, and join the #core-editor channel in the Making WordPress Slack group.

Gutenberg Phase 2: Steps Towards Full Site Editing

Contributors are currently working hard on Phase 2 of Gutenberg! Where Phase 1 introduced the new block editor with WordPress 5.0, Phase 2 sees more customization and includes one of the biggest Gutenberg projects: Full Site Editing (FSE). At the moment, work on WordPress 5.5 has been initiated and contributors decided to include basic functionality for Full Site Editing in this release. FSE hopes to streamline the site creation and building process in WordPress using a block-based approach. There’s a lot of conversation and new information about FSE, so communication around the project is very important. On May 28th, a conversation was held in the #core-customize channel to discuss FSE and the future of the Customizer. To help everyone track the latest information, this post summarizes ways to keep up with FSE.

Want to get involved with Gutenberg and FSE?  Follow the Core team blog and join the #core-editor channel in the Making WordPress Slack group. You can also check the FSE pull requests and issues on GitHub.

Theme Review Team Rebranding

Representatives of the Themes Review Team have decided to update their team name to “Themes Team.” This decision reflects changes that the block editor brings to the landscape of themes with the Full Site Editing project. The team has always been involved in projects beyond reviewing WordPress.org themes and lately, the team has been contributing more to themes in general — including open-source packages, contributions to Full Site Editing, the Twenty Twenty theme, and more. You can read more about the name change in the team’s meeting notes.

Want to get involved with the Themes Team? Follow the Themes blog here, or join them in the #themereview channel in the Making WordPress Slack group.

Online WordCamp Program Announced

To assist organizers with moving their WordCamps online, the WordPress Community team has prepared a new set of guidelines for online WordCamps. The Community Team will cover online production and captioning costs associated with any online WordCamp without the need for local sponsorship. The team also updated its guidelines to cover the regional focus of online events, and modified the code of conduct to cater to the new format. The WordCamp schedule has also been updated to indicate whether an event is taking place online or not. You can find resources, tools, and information about online WordPress events in our Online Events Handbook. They have also prepared a new set of guidelines for in-person events taking place in 2020, in the light of COVID-19 challenges. 

Want to get involved with the Community team? Follow the Community blog here, or join them in the #community-events channel in the Making WordPress Slack group. To organize a Meetup or WordCamp, visit the handbook page

BuddyPress 6.0.0 “iovine’s”

On May 13th, BuddyPress 6.0.0, known as “iovine’s,” was released. This release includes two new blocks for the WordPress Editor: Members and Groups. It also saw the completion of the BP REST API, adding the six remaining endpoints, and the move or local avatar management to the Members component. Beyond that, 6.0.0 includes more than 80 changes, made possible by 42 contributors. 

Want to download this latest version of BuddyPress? Get it here.  You can also help by translating BuddyPress into another language or letting the team know of any issues you find in the support forums.

WordCamp Spain Online Concludes Successfully

WordPress Meetup organizers in Spain joined hands to organize WordCamp Spain online from May 6 to 9, which proved to be a huge success. The event had more than 5,500 attendees, 60 speakers, and 16 sponsors. Over 200 people from around the world participated in the Contributor Day. Matt Mullenweg hosted an AMA for the participants, facilitated by Mattias Ventura’s on-the-spot Spanish translation. 

If you missed the event, you can watch videos from WordCamp Spain online at WordPress.TV. Want to organize a regional WordCamp? Learn more about that here!


Further Reading:

Have a story that we should include in the next “Month in WordPress” post? Please submit it here.

The Month in WordPress: April 2020

April continued to be a challenging time for the WordPress community, with many under stay-at-home recommendations. However, it was also an exciting month in which we created new ways to connect with and inspire each other! This month, amazing contributors moved more WordCamps online and shipped new releases for WordPress and Gutenberg. For the latest, read on. 


WordPress 5.4.1 released

On April 24th,  WordPress 5.4.1 Release Candidate 1 (RC1) was released for testing, quickly followed by the official release of WordPress 5.4.1 on April 29th. This security release features 17 bug fixes and seven security fixes, so we recommend updating your sites immediately. To download WordPress 5.4.1, visit your Dashboard, click on Updates, then Update Now, or download the latest version directly from WordPress.org. For more information, visit this post, review the full list of changes on Trac, or check out the version 5.4.1 HelpHub documentation page.

Want to get involved in building WordPress Core? Follow the Core team blog, and join the #core channel in the Making WordPress Slack group.

Gutenberg 7.9 and 8.0 released

It was another exciting month for Gutenberg, with the release of 7.9 and 8.0! Version 7.9 brought new block design tools, three new patterns, and improved block markup. Gutenberg 8.0 continued to refine the new block patterns feature, with additional options for inline formatting, and extending the functionality of the Code Editor. In addition to these new features, both releases included new enhancements and APIs, along with a number of bug fixes, performance improvements, some experiments, and more! You can read all the details about the latest Gutenberg releases in the announcement posts for 7.9 and 8.0

Want to get involved in building Gutenberg? Follow the Core team blog, contribute to Gutenberg on GitHub, and join the #core-editor channel in the Making WordPress Slack group.

BuddyPress 6.0.0

BuddyPress 6.0.0-beta2 was released for testing in mid-April, leading to the BuddyPress 6.0.0 Release Candidate, announced on April 29. This is an important step before  the final release of BuddyPress 6.0.0, which is slated for Thursday, May 14. Changes and new features in this release include moving the profile photo and user cover image under the BP Members component, and a new BP Rest API. Additionally, this release will introduce the first round of BuddyPress Blocks! Last, but not least, BuddyPress 6.0.0 will require at least PHP 5.6 and WordPress 4.8. 

Want to get involved? Test the 6.0.0-RC here! You can also help by translating BuddyPress into another language, or let the team know of any issues you find, either in the support forums and/or in their development tracker

WordCamp US goes online, apply to speak!

WordCamp US will take place online due to the COVID-19 pandemic. The event still runs from October 27-29, 2020, and will be free to anyone who wishes to attend. The team plans to offer  what WCUS has historically brought to the community in person: sessions and workshops, Contributor Day, a hallway track, and of course, State of the Word. 

Interested in speaking at WCUS? The Call for Speakers is still open! You can apply to speak on the speaker application site until May 31, 2020 at 11:59 pm CDT (UTC-5). 

Additionally, the Call for Cities is also open. If your community is interested in hosting WordCamp US in 2021 & 2022, please fill out this application

For the latest information about WordCamp US, sign up for updates on the website, or follow Facebook, Twitter, or Instagram

WordCamp Europe 2020 goes virtual 

Last month, WordCamp Europe decided to postpone its Porto event to 2021. This April, the WCEU organizing team announced that the 2020 WordCamp will be online! WordCamp Europe 2020 Online will take place from June 4-6, 2020, and tickets will be free. There will be a virtual Contributor Day on June 4, and then two half days of live-streamed talks and workshops. To participate, get your free ticket here

To get the latest news for WordCamp Europe 2020 Online, follow on Facebook, Twitter, LinkedIn, or on Instagram


Further Reading

Have a story that we should include in the next “Month in WordPress” post? Please submit it here.

WordPress 5.4.1

WordPress 5.4.1 is now available!

This security and maintenance release features 17 bug fixes in addition to 7 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.4.1 is a short-cycle security and maintenance release. The next major release will be version 5.5.

You can download WordPress 5.4.1 by downloading from WordPress.org, or visit your Dashboard → Updates and click Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

Seven security issues affect WordPress versions 5.4 and earlier. If you haven’t yet updated to 5.4, all WordPress versions since 3.7 have also been updated to fix the following security issues:

  • Props to Muaz Bin Abdus Sattar and Jannes who both independently reported an issue where password reset tokens were not properly invalidated
  • Props to ka1n4t for finding an issue where certain private posts can be viewed unauthenticated
  • Props to Evan Ricafort for discovering an XSS issue in the Customizer
  • Props to Ben Bidner from the WordPress Security Team who discovered an XSS issue in the search block
  • Props to Nick Daugherty from WordPress VIP / WordPress Security Team who discovered an XSS issue in wp-object-cache
  • Props to Ronnie Goodrich (Kahoots) and Jason Medeiros who independently reported an XSS issue in file uploads.
  • Props to Weston Ruter for fixing a stored XSS vulnerability in the WordPress customizer.
  • Additionally, an authenticated XSS issue in the block editor was discovered by Nguyen The Duc (ducnt) in WordPress 5.4 RC1 and RC2. It was fixed in 5.4 RC5. We wanted to be sure to give credit and thank them for all of their work in making WordPress more secure.

Thank you to all of the reporters for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked.

For more information, browse the full list of changes on Trac, or check out the version 5.4.1 HelpHub documentation page.

In addition to the security researchers mentioned above, thank you to everyone who helped make WordPress 5.4.1 happen:

Alex Concha, Andrea Fercia, Andrew Duthie, Andrew Ozz, Andy Fragen, Andy Peatling, arnaudbroes, Chris Van Patten, Daniel Richards, DhrRob, Dono12, dudo, Ehtisham Siddiqui, Ella van Durpe, Garrett Hyder, Ian Belanger, Ipstenu (Mika Epstein), Jake Spurlock, Jb Audras, John Blackbourn, John James Jacoby, Jonathan Desrosiers, Jorge Costa, K. Adam White, Kelly Choyce-Dwan, MarkRH, mattyrob, Miguel Fonseca, Mohammad Jangda, Mukesh Panchal, Nick Daugherty, noahtallen, Paul Biron, Peter Westwood, Peter Wilson, pikamander2, r-a-y, Riad Benguella, Robert Anderson, Samuel Wood (Otto), Sergey Biryukov, Søren Brønsted, Stanimir Stoyanov, tellthemachines, Timothy Jacobs, Toro_Unit (Hiroshi Urabe), treecutter, and yohannp.

Pin It on Pinterest