Title: Version 5.5.18
Author: Jb Audras
Published: March 12, 2026

---

# Version 5.5.18

## In this article

 * [Installation/Update Information](https://wordpress.org/documentation/wordpress-version/version-5-5-18/?output_format=md#installation-update-information)
 * [Summary](https://wordpress.org/documentation/wordpress-version/version-5-5-18/?output_format=md#summary)
    - [Security updates](https://wordpress.org/documentation/wordpress-version/version-5-5-18/?output_format=md#maintenance-updates)
 * [Change log](https://wordpress.org/documentation/wordpress-version/version-5-5-18/?output_format=md#changelog)
    - [List of files revised](https://wordpress.org/documentation/wordpress-version/version-5-5-18/?output_format=md#list-of-files-revised)
    - [List of packages revised](https://wordpress.org/documentation/wordpress-version/version-5-5-18/?output_format=md#list-of-packages-revised)

[ Back to top](https://wordpress.org/documentation/wordpress-version/version-5-5-18/?output_format=md#wp--skip-link--target)

On March 12, 2026, WordPress 5.5.18 was released to the public.

## 󠀁[Installation/Update Information](https://wordpress.org/documentation/wordpress-version/version-5-5-18/?output_format=md#installation-update-information)󠁿

To get this version, update automatically from the Dashboard > Updates menu in your
site’s admin area or visit [https://wordpress.org/download/release-archive/](https://wordpress.org/download/release-archive/).

For step-by-step instructions on installing and updating WordPress:

 * [Updating WordPress](https://wordpress.org/documentation/article/updating-wordpress/)

If you are new to WordPress, we recommend that you begin with the following:

 * [New To WordPress – Where to Start](https://wordpress.org/support/article/new_to_wordpress_-_where_to_start/)
 * [First Steps With WordPress](https://wordpress.org/support/article/first-steps-with-wordpress/)
   or [Upgrading WordPress Extended](https://wordpress.org/documentation/article/upgrading-wordpress-extended-instructions/)
 * [WordPress Lessons](https://wordpress.org/support/article/wordpress-lessons/)

## 󠀁[Summary](https://wordpress.org/documentation/wordpress-version/version-5-5-18/?output_format=md#summary)󠁿

### 󠀁[Security updates](https://wordpress.org/documentation/wordpress-version/version-5-5-18/?output_format=md#maintenance-updates)󠁿

This release features several security fixes. Because this is a security release,**
it is recommended that you update your sites immediately.**

The security team would like to thank the following people for [responsibly reporting vulnerabilities](https://hackerone.com/wordpress?type=team),
and allowing them to be fixed in this release:

 * A Blind SSRF issue reported by [sibwtf](https://hackerone.com/sibwtf), and subsequently
   by several other researchers while the fix was being worked on
 * A PoP-chain weakness in the HTML API and Block Registry reported by [Phat RiO](https://github.com/hackerlo2003)
 * A stored XSS in nav menus reported by [Phill Savage](https://x.com/Savphill)
 * An AJAX `query-attachments` authorization bypass reported by [Vitaly Simonovich](https://www.vitalysim.com/)
 * A stored XSS via the `data-wp-bind` directive reported by [kaminuma](https://profiles.wordpress.org/kaminuma/)
 * An XSS that allows overridding client-side templates in the admin area reported
   by [Asaf Mozes](https://hackerone.com/amosec)
 * A PclZip path traversal issue reported independently by [Francesco Carlucci](https://profiles.wordpress.org/francescocarlucci/)
   and [kaminuma](https://profiles.wordpress.org/kaminuma/)

The WordPress security team have worked with the maintainer of the external getID3
library, James Heinrich, to coordinate a fix to getID3. A new version of getID3 
[is available here](https://github.com/JamesHeinrich/getID3/releases).
As a courtesy,
these fixes are being backported, where necessary, to all branches eligible to receive
security fixes (currently through 4.7). As a reminder, **only the most recent version
of WordPress is actively supported**.

## 󠀁[Change log](https://wordpress.org/documentation/wordpress-version/version-5-5-18/?output_format=md#changelog)󠁿

### 󠀁[List of files revised](https://wordpress.org/documentation/wordpress-version/version-5-5-18/?output_format=md#list-of-files-revised)󠁿

    ```wp-block-preformatted
    /wp-admin/includes/class-walker-nav-menu-checklist.php/wp-admin/includes/class-walker-nav-menu-edit.php/wp-admin/includes/file.php/wp-includes/html-api/wp-includes/class-wp-html-tag-processor.php/wp-includes/interactivity-api/class-wp-interactivity-api.php/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php/wp-includes/class-wp-block-patterns-registry.php/wp-includes/class-wp-http-ixr-client.php/wp-includes/media.php/wp-includes/nav-menu.php/wp-includes/template-loader.php
    ```

### 󠀁[List of packages revised](https://wordpress.org/documentation/wordpress-version/version-5-5-18/?output_format=md#list-of-packages-revised)󠁿

No package was revised.

First published

March 12, 2026

Last updated

March 12, 2026