Update: Due to some problems with the 5.5.2-release 5.5.3 was quickly released.
WordPress 5.5.2 has been released and it contains ten security issues affecting WordPress version 5.5.1 and earlier. If you haven’t yet updated to 5.5, all previous WordPress versions since 3.7 have also been updated to fix the following security issues:
- Alex Concha of the WordPress Security Team helped with the hardening of deserialization requests.
- David Binovec worked on a fix to disable spam embeds from disabled sites on a multisite network.
- Marc Montas reported an issue that could lead to XSS from global variables.
- Justin Tran reported an issue surrounding privilege escalation in XML-RPC. He also reported an issue around privilege escalation around post commenting via XML-RPC.
- Omar Ganiev reported a method where a Denial of Service attack could lead to Remote Code Execution (RCE).
- Karim El Ouerghemmi reported a method to store XSS in post slugs.
- Slavco and Karim El Ouerghemmi reported and fixed a method to bypass protected meta that could lead to arbitrary file deletion.
- Erwan LR from WPScan reported a method that could lead to CSRF
- @zieladam who was integral in many of the releases and patches
WPSec and the team would like to thank you all for helping the WordPress ecosystem being even more secure. All reporting is important for the community and everyone using WordPress.
Also remember to sign up for WPSec and continuously scan for new vulnerabilities in WordPress, themes and plugins. Sign up for free below: