WordPressers! A brand new version of WordPress is here with better security and bug fixes. WordPress 5.5.2 Security and Maintenance Release is now available for the public to test. This update was released yesterday and includes 14 bug fixes and 10 security fixes. The release is for all the previous versions of WordPress. Therefore, we recommend you have this update first tested and then applied to your WordPress site.
The WordPress 5.4.2 Security and Maintenance release includes a total of 24 enhancements and also including a handful of security fixes.
You can either directly download WordPress 5.5.2 Security and Maintenance Release or venture over to Dashboard > Updates and simply click “Update Now”. Websites that support automatic background updates are already beginning to update to v5.5.2.
Since this is a security and maintenance release, we suggest you update your site ASAP to avoid fatal errors.
Security Updates in WordPress 5.5.2
- Hardening deserialization requests.
- Fix to disable spam embeds from disabled sites on a multisite network.
- Fixed an issue that could lead to XSS from global variables.
- Fixed an issue surrounding privilege escalation in XML-RPC. Also, fixed an issue around privilege escalation around post commenting via XML-RPC.
- A method where a DoS attack could lead to RCE.
- A method to store XSS in post slugs.
- Method to bypass protected meta that could lead to arbitrary file deletion.
- A method that could lead to CSRF.
- And a special thanks to @zieladam who was integral in many of the releases and patches during this release.
According to the official announcement post, WordPress 5.5.2 Security and Maintenance release is a short-cycle release and the next major release is going to be WordPress 5.6 in December.
You can check out the full list of changelog to learn more about the changes in this release.