On April 29, 2020, WordPress 5.3.3 was released to the public.
Installation/Update Information
To download WordPress 5.3.3, update automatically from the Dashboard > Updates menu in your site’s admin area or visit https://wordpress.org/download/release-archive/.
For step-by-step instructions on installing and updating WordPress:
If you are new to WordPress, we recommend that you begin with the following:
- New To WordPress – Where to Start
- First Steps With WordPress or Upgrading WordPress Extended
- WordPress Lessons
Summary
Security updates
Six security issues affect WordPress versions 5.4 and earlier; version 5.4.1 fixes them, so you’ll want to upgrade. If you haven’t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the security issues.
- Props to Muaz Bin Abdus Sattar and Jannes who both independently reported an issue where password reset tokens were not properly invalidated
- Props to ka1n4t for finding an issue where certain private posts can be viewed unauthenticated
- Props to Evan Ricafort for discovering an XSS issue in the Customizer
- Props to Ben Bidner from the WordPress Security Team who discovered an XSS issue in the search block
- Props to Nick Daugherty from WPVIP.com / WordPress Security Team who discovered an XSS issue in wp-object-cache
- Props to Ronnie Goodrich (Kahoots) and Jason Medeiros who independently reported an XSS issue in file uploads.
Maintenance updates
- #39768 – Incorrect image returned with attachment_url_to_postid()
- #49013 – Alignment of form controls inside a custom meta box
- #49018 – Cleanup CSS for .language-chooser large Continue button
- #49038 – Timezone setting does not display correct time of next DST transition
- #49048 – Add unit tests for v5.3.1 block serialization functions
- #49050 – skipOnAutomatedBranches() does not work as expected
- #49115 – Published on select dropdown has a line height issue in WP Admin
- #49134 – Missing translation string in media-views.js
- #49197 – button padding on edit plug and edit theme on mobile device
- #49476 – Incorrect links to export/delete personal data in emails
List of Files Revised
/wp-includes/blocks/rss.php /wp-includes/blocks/search.php /wp-includes/cache.php /wp-includes/class-wp-customize-manager.php /wp-includes/class-wp-query.php /wp-includes/formatting.php /wp-includes/post.php /wp-includes/user.php