Version 5.1.7

On October 29, 2020, WordPress 5.1.7 was released to the public.

Installation/Update Information

To download this version, update automatically from the Dashboard > Updates menu in your site’s admin area or visit WordPress releases archive.

For step-by-step instructions on installing and updating WordPress:

• Updating WordPress

If you are new to WordPress, we recommend that you begin with the following:

• New To WordPress – Where to Start
• First Steps With WordPress or Upgrading WordPress Extended
• WordPress Lessons

Summary

Security updates

• Props to Alex Concha of the WordPress Security Team for their work in hardening deserialization requests.
• Props to David Binovec on a fix to disable spam embeds from disabled sites on a multisite network.
• Thanks to Marc Montas from Sucuri for reporting an issue that could lead to XSS from global variables.
• Thanks to Justin Tran who reported an issue surrounding privilege escalation in XML-RPC. He also found and disclosed an issue around privilege escalation around post commenting via XML-RPC.
• Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE.
• Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs.
• Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a method to bypass protected meta that could lead to arbitrary file deletion.
• And a special thanks to @zieladam who was integral in many of the releases and patches during this release.

This release was led by @audrasjb, @davidbaumwald, @desrosj, @johnbillion, @metalandcoffee, @noisysocks @planningwrite, @sarahricker, @sergeybiryukov and @whyisjake.