WordPress 5.3.1 is a security and maintenance release that has 46 fixes and enhancements. And even better, it fixes serval security problems found by the following people: Daniel Bachhuber for finding an issue where an unprivileged user could make a post sticky via the REST API. Simon Scannell of RIPS Technologies for finding and disclosing an issue where cross-site scripting (XSS) could be stored in well-crafted links. WordPress.org Security Team for hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute. Nguyen The Duc for discovering a stored XSS vulnerability using block editor content. Do a free scan at wpsec.com to check if your WordPress installation is safe.
The popular WooCommerce WordPress plugin, used by 28 percent of all online stores, was just patched against a reflected cross-site scripting vulnerability (XSS). The vulnerability was found by the company SiteLock. The plugin vulnerability was disclosed to Automattic, the owner of, via its HackerOne security bounty program. The fix for the vulnerability was released on July 28th and if you use WPScans.com you can scan for this vulnerability or use our premium version and get an E-mail warning. The vulnerability can be tested with: curl -X POST -d “vendor_description=<script>alert(“xss”)</script>” “https://steelpress.org/index.php/product-vendor-registration-form/?confirm_email=1&email=1&firstname=1&lastname=1&location=1®ister=Register&username=1&vendor_description=1&vendor_name=