WordPress 5.4.2 Security and Maintenance Release

Yesterday, June 10th, WordPress released version 5.4.2, which was a security and maintenance release.

Version 5.4.2 of WordPress fixes 6 separate security issues. Three of which addressed authenticated Cross-Site Scripting (XSS) vulnerabilities. One addressing an potential Open Redirect vulnerability. One privilege escalation vulnerability, and one issue where password protected posts and pages comments could be exposed in certain circumstances.

As well as the 5.4.2 minor version release, WordPress also released security fix for WordPress versions as far back as WordPress version 3.7, which was released in 2013. This is the full list of minor versions that WordPress released to fix the six security issues:


Below are the 6 security issues fixed by WordPress in version 5.4.2:

WordPress < 5.4.2 – Authenticated XSS via Media Files

This issue was reported to WordPress by Luigi. He identified an Cross-Site Scripting (XSS) issue where authenticated users with upload permissions were able to add JavaScript to media files.

WordPress < 5.4.2 – Open Redirection

This issue was found by Ben Bidner of the WordPress Security Team. The security issue affected the wp_validate_redirect() function. An Open Redirect vulnerability usually allows attackers to redirect unsuspecting users to malicious websites. The patch for this security issue can be found here.

WordPress < 5.4.2 – Authenticated XSS via Theme Upload

This issue was reported to WordPress by Nrimo Ing Pandum, and he found an authenticated Cross-Site Scripting (XSS) vulnerability in the theme upload functionality. We assume that this requires the install_themes capability, which only administrator users have.

WordPress < 5.4.2 – Misuse of set‑screen‑option Leading to Privilege Escalation

This security issue was identified by Simon Scannell of RIPS Technologies. Simon is a prolific security researcher who has identified many security issues affecting WordPress in the past. Simon reported a security issue in the set_screen_options() function that could allow for Privilege Escalation. The full patch can be found here.

WordPress < 5.4.2 – Disclosure of Password‑Protected Page/Post Comments

Carolina Nymark identified that comments on password protected pages and posts could be disclosed under certain conditions. This issue affected the comment_excerpt() function, and the full patch can be found here.

WordPress < 5.4.2 – Authenticated XSS in Block Editor

Sam Thomas (jazzy2fives) reported an issue to WordPress that affected the Block Editor, where low privileged users could inject malicious JavaScript to posts. WordPress does allow some users to inject JavaScript who have the unfiltered_html capability, which are Administrators and Editors. In this case, the user required to exploit this issue must have been Author or less.

Keep Updated

You can view all the WordPress 5.2.4 security vulnerabilities on our WordPress Vulnerability Database. There you can also sign up for email notifications when we add new vulnerabilities to our database. We also have our WordPress Security Scanner, our WordPress Security Plugin and our Online WordPress Security Scanner.

Posted by

Leave a Reply

Get News and Tips From WPScan

Blog at WordPress.com.