On October 29, 2020, WordPress 5.5.2 was released to the public.
To download WordPress 5.5.2, update automatically from the Dashboard > Updates menu in your site’s admin area or visit https://wordpress.org/download/release-archive/.
For step-by-step instructions on installing and updating WordPress:
If you are new to WordPress, we recommend that you begin with the following:
- New To WordPress – Where to Start
- First Steps With WordPress or Upgrading WordPress Extended
- WordPress Lessons
Ten security issues affect WordPress versions 5.5 and earlier; version 5.5.2 fixes them, so you’ll want to upgrade. If you haven’t yet updated to 5.5, there are also updated versions of 5.4 and earlier that fix the security issues.
- Props to Alex Concha of the WordPress Security Team for their work in hardening deserialization requests.
- Props to David Binovec on a fix to disable spam embeds from disabled sites on a multisite network.
- Thanks to Marc Montas from Sucuri for reporting an issue that could lead to XSS from global variables.
- Thanks to Justin Tran who reported an issue surrounding privilege escalation in XML-RPC. He also found and disclosed an issue around privilege escalation around post commenting via XML-RPC.
- Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE.
- Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in post slugs.
- Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a method to bypass protected meta that could lead to arbitrary file deletion.
- And a special thanks to @zieladam who was integral in many of the releases and patches during this release.
WordPress 5.5.2 also fixes some regressions introduced in version 5.5:
- #51130 – Events displayed in venue timezone instead of user’s
- #51659 – Update Gutenberg Dependencies for WordPress 5.5.2
- #50861 – Remove Facebook and Instagram as an oEmbed Source
- #50903 – Set the local environment to a development environment type by default
- #50949 – Posts show wrong time when user is in a different time zone than the site’s
- #51053 – Video Embeds set to align left disappear in Gutenberg editor
- #51175 – Wrong reply box title
- #51219 – Theme editor page showing undefined variable notice
- #51251 – Fix PHP notice when opening the edit image popup
- #51263 – PHP warning when editing comments in the administration comment edit screen
- #51320 – PHP Notice while moving post to trash (post_type has 2 registered taxonomies both with default_term set)
- #51400 – Undefined index during automatic plugin/theme updates
- #51595 – Unable to make anonymous comments via XML-RPC
- #51645 – Undefined index: echo in core files
WordPress 5.5.2 was led by @whyisjake and the release squad: @audrasjb, @davidbaumwald, @desrosj, @johnbillion, @metalandcoffee, @noisysocks @planningwrite, @sarahricker and @sergeybiryukov.
Thank you to everyone who contributed to WordPress 5.5.2:
Aaron Jorbin, Alex Concha, Amit Dudhat, Andrey “Rarst” Savchenko, Andy Fragen, Ayesh Karunaratne, bridgetwillard, Daniel Richards, David Baumwald, Davis Shaver, dd32, Florian TIAR, Hareesh, Hugh Lashbrooke, Ian Dunn, Igor Radovanov, Jake Spurlock, Jb Audras, John Blackbourn, Jonathan Desrosiers, Jon Brown, Joy, Juliette Reinders Folmer, kellybleck, mailnew2ster, Marcus Kazmierczak, Marius L. J., Milan Dinić, Mohammad Jangda, Mukesh Panchal, Paal Joachim Romdahl, Peter Wilson, Regan Khadgi, Robert Anderson, Sergey Biryukov, Sergey Yakimov, Syed Balkhi, szaqal21, Tellyworth, Timi Wahalahti, Timothy Jacobs, Towhidul I. Chowdhury, Vinayak Anivase, and zieladam.
For more information, browse the full list of changes on Trac.
List of Files Revised
wp-admin/about.php wp-admin/admin-header.php wp-admin/comment.php wp-admin/includes/ajax-actions.php wp-admin/includes/class-custom-background.php wp-admin/includes/class-custom-image-header.php wp-admin/includes/class-wp-automatic-updater.php wp-admin/includes/class-wp-community-events.php wp-admin/includes/dashboard.php wp-admin/includes/media.php wp-admin/includes/ms.php wp-admin/includes/template.php wp-admin/js/custom-background.js wp-admin/js/custom-background.min.js wp-admin/js/dashboard.js wp-admin/js/dashboard.min.js wp-admin/js/media-gallery.js wp-admin/js/media-gallery.min.js wp-admin/media-new.php wp-admin/network/site-users.php wp-includes/Requests/Utility/FilteredIterator.php wp-includes/assets/script-loader-packages.php wp-includes/class-wp-oembed.php wp-includes/class-wp-xmlrpc-server.php wp-includes/comment-template.php wp-includes/css/dist/block-editor/style-rtl.css wp-includes/css/dist/block-editor/style-rtl.min.css wp-includes/css/dist/block-editor/style.css wp-includes/css/dist/block-editor/style.min.css wp-includes/css/dist/block-library/editor-rtl.css wp-includes/css/dist/block-library/editor-rtl.min.css wp-includes/css/dist/block-library/editor.css wp-includes/css/dist/block-library/editor.min.css wp-includes/css/dist/components/style-rtl.css wp-includes/css/dist/components/style-rtl.min.css wp-includes/css/dist/components/style.css wp-includes/css/dist/components/style.min.css wp-includes/embed.php wp-includes/functions.php wp-includes/general-template.php wp-includes/images/crystal/license.txt wp-includes/js/comment-reply.js wp-includes/js/comment-reply.min.js wp-includes/js/dist/block-editor.js wp-includes/js/dist/block-editor.min.js wp-includes/js/dist/block-library.js wp-includes/js/dist/block-library.min.js wp-includes/js/dist/blocks.js wp-includes/js/dist/blocks.min.js wp-includes/js/dist/components.js wp-includes/js/dist/components.min.js wp-includes/js/dist/editor.js wp-includes/js/dist/editor.min.js wp-includes/meta.php wp-includes/post.php wp-includes/script-loader.php wp-includes/version.php
@popperjs/core: 2.5.3 @wordpress/block-directory: 1.13.8 @wordpress/block-editor: 4.3.8 @wordpress/block-library: 2.22.8 @wordpress/blocks: 6.20.4 @wordpress/components: 10.0.7 @wordpress/core-data: 2.20.4 @wordpress/edit-post: 3.21.8 @wordpress/editor: 9.20.8 @wordpress/format-library: 1.22.8 @wordpress/icons: 2.4.1 @wordpress/interface: 0.7.7 @wordpress/list-reusable-blocks: 1.21.7 @wordpress/nux: 3.20.7 @wordpress/plugins: 2.20.4 @wordpress/server-side-render: 1.16.7 body-scroll-lock: 3.1.5 compute-scroll-into-view: 1.0.16 dotenv: 8.2.0 re-resizable: 6.7.0 react-easy-crop: 3.2.2 react-use-gesture: 7.0.16 simple-html-tokenizer: 0.5.10 tinycolor2: 1.4.2 ua-parser-js: 0.7.22 uc.micro: 1.0.6