Version 5.3.4

On June 10, 2020, WordPress 5.3.4 was released to the public.

Installation/Update Information

To download WordPress 5.3.4, visit WordPress releases archive.

For step-by-step instructions on installing and updating WordPress:

If you are new to WordPress, we recommend that you begin with the following:

Summary

Security updates

Five security issues affect WordPress versions 5.4 and earlier.

  • Props to Sam Thomas (jazzy2fives) for finding an XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor
  • Props to Luigi – (gubello.me) for discovering an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files.
  • Props to Ben Bidner of the WordPress Security Team for finding an open redirect issue in wp_validate_redirect()
  • Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme uploads
  • Props to Simon Scannell of RIPS Technologies for finding an issue where set-screen-option can be misused by plugins leading to privilege escalation.
  • Props to Carolina Nymark for discovering an issue where comments from password-protected posts and pages could be displayed under certain conditions.

Maintenance updates

One maintenance update was exceptionally backported from 5.4.2 to older branches:

  • 49956 – Spammers able to share unmoderated comments (see dev note below)

Notes for developers

List of Files Revised

wp-admin/themes.php
wp-admin/includes/misc.php
wp-admin/includes/media.php
wp-includes/class-walker-comment.php
wp-includes/class-wp-comment-query.php
wp-includes/comment-template.php
wp-includes/comment.php
wp-includes/default-filters.php
wp-includes/embed.php
wp-includes/pluggable.php
wp-includes/version.php
package-lock.json
package.json
wp-comments-post.php

Updated packages

@wordpress/block-library: 2.4.7
@wordpress/edit-post: 3.3.7

First published

Last updated