WordPress versions 5.2.3 and earlier are affected by these security bugs, which are fixed in version 5.2.4. There are also security updates to WordPress 5.1 and earlier.
List of Security Fixes
- Ben Bidner of the WordPress Security Team who discovered issues related to referrer validation in the admin.
- Evan Ricafort for finding an issue where stored XSS (cross-site scripting) could be added via the Customizer.
- J.D. Grimes who found and disclosed a method of viewing unauthenticated posts.
- David Newman for highlighting a method to poison the cache of JSON GET requests via the Vary: Origin header.
- Eugene Kolodenker who found a server-side request forgery in the way that URLs are validated.
WPSec would like to thank all the above people and also those who privately disclose vulnerabilities to the WordPress team.
View the full list of changes on the 5.2.4 documentation page.