On January 6, 2022, WordPress 4.8.18 was released to the public.
To get this version, update automatically from the Dashboard > Updates menu in your site’s admin area or visit https://wordpress.org/download/release-archive/.
For step-by-step instructions on installing and updating WordPress:
If you are new to WordPress, we recommend that you begin with the following:
- New To WordPress – Where to Start
- First Steps With WordPress or Upgrading WordPress Extended
- WordPress Lessons
3 security issues affect WordPress versions between 3.7 and 5.8. If you haven’t yet updated to 5.8, all WordPress versions since 3.7 have also been updated to fix the following security issues:
- Props to Karim El Ouerghemmi and Simon Scannell of SonarSource for disclosing an issue with stored XSS through post slugs.
- Props to Simon Scannell of SonarSource for reporting an issue with Object injection in some multisite installations.
- Props to ngocnb and khuyenn from GiaoHangTietKiem JSC for working with Trend Micro Zero Day Initiative on reporting a WP_Query SQLi vulnerability.
- Props to Ben Bidner from the WordPress security team for reporting a SQL injection vulnerability in WP_Meta_Query.
Thank you to all of the reporters for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked. Thank you to the members of the WordPress security team for implementing these fixes in WordPress.
For more information, browse the full list of changes on Trac.
List of Files Revised
/wp-admin/includes/upgrade.php /wp-includes/class-wp-meta-query.php /wp-includes/class-wp-tax-query.php /wp-includes/formatting.php /wp-includes/post.php