On October 17, 2022, WordPress 4.8.20 was released to the public.
To get this version, update automatically from the Dashboard > Updates menu in your site’s admin area or visit https://wordpress.org/download/release-archive/.
For step-by-step instructions on installing and updating WordPress:
If you are new to WordPress, we recommend that you begin with the following:
- New To WordPress – Where to Start
- First Steps With WordPress or Upgrading WordPress Extended
- WordPress Lessons
Security updates included in this release
The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release.
- Media: Refactor search by filename within the admin,
- REST API: Lockdown post parameter of the terms endpoint,
- Customize: Escape blogname option in underscores templates,
- Query: Validate relation in
- Posts, Post types: Apply KSES to post-by-email content,
- General: Validate host on “Are you sure?” screen,
- Posts, Post types: Remove emails from post-by-email logs,
- Pings/trackbacks: Apply KSES to all trackbacks,
- Mail: Reset PHPMailer properties between use,
- Widgets: Escape RSS error messages for display.
This release was led by Alex Concha (@xknown), Peter Wilson (@peterwilsoncc), Jb Audras (@audrasjb), and Sergey Biryukov (@SergeyBiryukov).
The release would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver several fixes into a stable release is a testament to the power and capability of the WordPress community.
@audrasjb, @costdev, @cu121, @dd32, @davidbaumwald, @ehtis, @johnbillion, @johnjamesjacoby, @martinkrcho, @matveb, @oztaser, @paulkevan, @peterwilsoncc,@ravipatel, @SergeyBiryukov, @talldanwp, @timothyblynjacobs, @tykoted, @voldemortensen, @vortfu, and @xknown.
List of updated packages
List of Files Revised