WordPress 5.2.4 release with 6 new security fixes. All of those security issues were reported by the WordPress community audience. WordPress version 5.2.3 is affected by these bugs which are later fixed in WordPress version 5.2.4.
Earlier WordPress versions from 3.7 to 5.2, all of the following issues fixed in 5.2.4 release.
- One of the issues where stored XSS (cross-site scripting) could be added via the Customizer.
- An issue through which you can easily view unauthenticated posts
- A method using Vary: Origin header to poison the cache of JSON GET requests
- Server-side request forgery(SSRF) in the way that URLs are validated
- Bug related to referrer validation in the admin
These are the files where code changes are placed:
/wp-includes/functions.php /wp-includes/class-wp.php /wp-includes/class-wp-query.php /wp-includes/pluggable.php /wp-includes/http.php /wp-includes/rest-api.php
You can find the complete code changes on GitHub.
WordPress version 5.2.4 completely focuses on security fixes. However, some changes also notified in this release such as script loader where they remove this line of code:
( $scripts->add( 'wp-sanitize', "/wp-includes/js/wp-sanitize$suffix.js", array( 'jquery' ), false, 1 );
It was removed and now the code above makes an extra call to wp-sanitize.js.
Also, some other lines of code have been added in the pluggable script and redirect script to adjust the Windows path when validating the location of the relative URLs.
If the automatic updates are turned as enabled on your WordPress, then this version may already be installed on your site. If it will not update automatically then you have to install this latest version by going to Dashboard> Updates > Update Now menu in your site’s admin area. The other way is to download WordPress from the release archive.