Version 5.9.5

On October 17, 2022, WordPress 5.9.4 was released to the public.

Installation/Update Information

To get this version, update automatically from the Dashboard > Updates menu in your site’s admin area or visit https://wordpress.org/download/release-archive/.

For step-by-step instructions on installing and updating WordPress:

If you are new to WordPress, we recommend that you begin with the following:

Summary

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release.

  • Stored XSS via wp-mail.php (post by email) – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
  • Open redirect in `wp_nonce_ays` – devrayn
  • Sender’s email address is exposed in wp-mail.php – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
  • Media Library – Reflected XSS via SQLi – Ben Bidner from the WordPress security team and Marc Montpas from Automattic independently discovered this issue
  • CSRF in wp-trackback.php – Simon Scannell
  • Stored XSS via the Customizer – Alex Concha from the WordPress security team
  • Revert shared user instances introduced in 50790 – Alex Concha and Ben Bidner from the WordPress security team
  • Stored XSS in WordPress Core via Comment Editing – Third-party security audit and Alex Concha from the WordPress security team
  • Data exposure via the REST Terms/Tags Endpoint – Than Taintor
  • Content from multipart emails leaked – Thomas Kräftner
  • SQL Injection due to improper sanitization in `WP_Date_Query` – Michael Mazzolini
  • RSS Widget: Stored XSS issue – Third-party security audit
  • Stored XSS in the search block – Alex Concha of the WP Security team
  • Feature Image Block: XSS issue – Third-party security audit
  • RSS Block: Stored XSS issue – Third-party security audit
  • Fix widget block XSS – Third-party security audit

Credits

This release was led by Alex Concha (@xknown), Peter Wilson (@peterwilsoncc), Jb Audras (@audrasjb), and Sergey Biryukov (@SergeyBiryukov).

The release would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver several fixes into a stable release is a testament to the power and capability of the WordPress community.

@audrasjb@costdev@cu121@dd32@davidbaumwald@ehtis@johnbillion@johnjamesjacoby@martinkrcho@matveb@oztaser@paulkevan@peterwilsoncc,@ravipatel@SergeyBiryukov@talldanwp@timothyblynjacobs@tykoted@voldemortensen@vortfu, and @xknown.

List of updated packages

COMING SOON…

List of Files Revised

COMING SOON…

First published

Last updated