WordPress 5.1.1 is now available for automatic upgrade or download. This new WordPress version is a security and maintenance release. The release introduces 10 fixes and enhancements, including changes designed to help hosts prepare users for the minimum PHP version bump coming in WordPress 5.2 (read more here).
The release also includes security fixes that handle how comments are filtered and then later stored in the underlying MySQL-database. With a specific crafted comment, a WordPress post was vulnerable to cross-site scripting attacks (XSS).
WordPress versions 5.1 and before are all affected by these security bugs, and are fixed in version 5.1.1. Updated versions of WordPress 5.0 and earlier are also available for any users who have not updated to 5.1.
This new vulnerability was found by Simon Scannell at RIPS Technologies and by the WordPress core team.
Other fixes in this release include:
- Hosts can now offer a button for their users to update PHP.
- The recommended PHP version used by the “Update PHP” notice can now be filtered.
- Several minor bug fixes.
You can also use WPScans.com to scan for this new vulnerability.