On October 17, 2022, WordPress 5.9.4 was released to the public.
To get this version, update automatically from the Dashboard > Updates menu in your site’s admin area or visit https://wordpress.org/download/release-archive/.
For step-by-step instructions on installing and updating WordPress:
If you are new to WordPress, we recommend that you begin with the following:
- New To WordPress – Where to Start
- First Steps With WordPress or Upgrading WordPress Extended
- WordPress Lessons
Security updates included in this release
The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release.
- Stored XSS via wp-mail.php (post by email) – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
- Open redirect in `wp_nonce_ays` – devrayn
- Sender’s email address is exposed in wp-mail.php – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
- Media Library – Reflected XSS via SQLi – Ben Bidner from the WordPress security team and Marc Montpas from Automattic independently discovered this issue
- CSRF in wp-trackback.php – Simon Scannell
- Stored XSS via the Customizer – Alex Concha from the WordPress security team
- Revert shared user instances introduced in 50790 – Alex Concha and Ben Bidner from the WordPress security team
- Stored XSS in WordPress Core via Comment Editing – Third-party security audit and Alex Concha from the WordPress security team
- Data exposure via the REST Terms/Tags Endpoint – Than Taintor
- Content from multipart emails leaked – Thomas Kräftner
- SQL Injection due to improper sanitization in `WP_Date_Query` – Michael Mazzolini
- RSS Widget: Stored XSS issue – Third-party security audit
- Stored XSS in the search block – Alex Concha of the WP Security team
- Feature Image Block: XSS issue – Third-party security audit
- RSS Block: Stored XSS issue – Third-party security audit
- Fix widget block XSS – Third-party security audit
This release was led by Alex Concha (@xknown), Peter Wilson (@peterwilsoncc), Jb Audras (@audrasjb), and Sergey Biryukov (@SergeyBiryukov).
The release would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver several fixes into a stable release is a testament to the power and capability of the WordPress community.
@audrasjb, @costdev, @cu121, @dd32, @davidbaumwald, @ehtis, @johnbillion, @johnjamesjacoby, @martinkrcho, @matveb, @oztaser, @paulkevan, @peterwilsoncc,@ravipatel, @SergeyBiryukov, @talldanwp, @timothyblynjacobs, @tykoted, @voldemortensen, @vortfu, and @xknown.
List of updated packages
List of Files Revised