Title: Version 5.4.1
Author: Jb Audras
Published: April 29, 2020

---

# Version 5.4.1

## In this article

 * [Installation/Update Information](https://wordpress.org/documentation/wordpress-version/version-5-4-1/?output_format=md#installation-update-information)
 * [Summary](https://wordpress.org/documentation/wordpress-version/version-5-4-1/?output_format=md#summary)
    - [Security updates](https://wordpress.org/documentation/wordpress-version/version-5-4-1/?output_format=md#security-updates)
    - [Maintenance updates](https://wordpress.org/documentation/wordpress-version/version-5-4-1/?output_format=md#maintenance-updates)
 * [List of Files Revised](https://wordpress.org/documentation/wordpress-version/version-5-4-1/?output_format=md#list-of-files-revised)
 * [Updated packages](https://wordpress.org/documentation/wordpress-version/version-5-4-1/?output_format=md#updated-packages)

[ Back to top](https://wordpress.org/documentation/wordpress-version/version-5-4-1/?output_format=md#wp--skip-link--target)

On April 29, 2020, WordPress 5.4.1 was released to the public.

## 󠀁[Installation/Update Information](https://wordpress.org/documentation/wordpress-version/version-5-4-1/?output_format=md#installation-update-information)󠁿

To download WordPress 5.4.1, update automatically from the Dashboard > Updates menu
in your site’s admin area or visit [https://wordpress.org/download/release-archive/](https://wordpress.org/download/release-archive/).

For step-by-step instructions on installing and updating WordPress:

 *  [Updating WordPress](https://wordpress.org/documentation/article/updating-wordpress/)

If you are new to WordPress, we recommend that you begin with the following:

 *  [New To WordPress – Where to Start](https://wordpress.org/support/article/new_to_wordpress_-_where_to_start/?output_format=md)
 *  [First Steps With WordPress](https://wordpress.org/support/article/first-steps-with-wordpress/?output_format=md)
   or [Upgrading WordPress Extended](https://wordpress.org/documentation/article/upgrading-wordpress-extended-instructions/)
 *  [WordPress Lessons](https://wordpress.org/support/article/wordpress-lessons/?output_format=md)

## 󠀁[Summary](https://wordpress.org/documentation/wordpress-version/version-5-4-1/?output_format=md#summary)󠁿

### 󠀁[Security updates](https://wordpress.org/documentation/wordpress-version/version-5-4-1/?output_format=md#security-updates)󠁿

Six security issues affect WordPress versions 5.4 and earlier; version 5.4.1 fixes
them, so you’ll want to upgrade. If you haven’t yet updated to 5.4, there are also
updated versions of 5.3 and earlier that fix the security issues.

 * Props to [Muaz Bin Abdus Sattar](https://hackerone.com/hijibiji) and [Jannes](https://hackerone.com/dyennez)
   who both independently reported an issue where password reset tokens were not
   properly invalidated
 * Props to [ka1n4t](https://github.com/ka1n4t) for finding an issue where certain
   private posts can be viewed unauthenticated
 * Props to [Evan Ricafort](https://evanricafort.com/) for discovering an XSS issue
   in the Customizer
 * Props to Ben Bidner from the WordPress Security Team who discovered an XSS issue
   in the search block
 * Props to Nick Daugherty from WPVIP.com / WordPress Security Team who discovered
   an XSS issue in wp-object-cache
 * Props to Ronnie Goodrich ([Kahoots](https://hackerone.com/kahoots)) and [Jason Medeiros](http://pentestusa.com/)
   who independently reported an XSS issue in file uploads.
 * Additionally, an authenticated XSS issue in the block editor was discovered by
   Nguyen the Duc in WordPress 5.4 RC1 and RC2. It was fixed in 5.4 RC5. We wanted
   to be sure to give credit and thank them for all of their work in making WordPress
   more secure.

### 󠀁[Maintenance updates](https://wordpress.org/documentation/wordpress-version/version-5-4-1/?output_format=md#maintenance-updates)󠁿

WordPress 5.4.1 also fixes some regressions introduced in version 5.4:

 * [#49838](https://core.trac.wordpress.org/ticket/49838) – Accessibility: Fix the
   headings hierarchy on the Freedoms page
 * [#49798](https://core.trac.wordpress.org/ticket/49798) – Customize: Give the 
   WordPress logo a white background for dark mode browsers
 * [#49853](https://core.trac.wordpress.org/ticket/49853) – Mail: Make the check
   for empty post title in `wp-mail.php` more resilient
 * [#49753](https://core.trac.wordpress.org/ticket/49753) – Media: Remove `display:
   none;` from the (visually hidden) `<input type="file">` button used in Plupload
   to select files for uploading. Fixes selecting files in Edge <= 44 and iOS Safari
 * [#49772](https://core.trac.wordpress.org/ticket/49772) – Privacy: Support additional
   elements (table, ol, ul) in privacy policy guide new styling
 * [#49802](https://core.trac.wordpress.org/ticket/49802) – Privacy: Make the deprecated`
   wp_get_user_request_data()` function available on front end
 * [#49645](https://core.trac.wordpress.org/ticket/49645) – REST API: Fix revisions
   controller get_item permission check
 * [#49648](https://core.trac.wordpress.org/ticket/49648) – REST API: Fix `_fields`
   filtering of registered rest fields
 * [#49824](https://core.trac.wordpress.org/ticket/49824) – Site Health: Instantiation
   prevents use of some hooks by plugins
 * [#49759](https://core.trac.wordpress.org/ticket/49759) – Taxonomy: Un-deprecate`
   category_link` and `tag_link` filters
 * [#49974](https://core.trac.wordpress.org/ticket/49974) – Block Editor updates

**Thank you to everyone who contributed to WordPress 5.4.1:**

[Alex Concha](https://profiles.wordpress.org/xknown/), [Andrea Fercia](https://profiles.wordpress.org/afercia/),
[Andrew Duthie](https://profiles.wordpress.org/aduth/), [Andrew Ozz](https://profiles.wordpress.org/azaozz/),
[Andy Fragen](https://profiles.wordpress.org/afragen/), [Andy Peatling](https://profiles.wordpress.org/apeatling/),
[arnaudbroes](https://profiles.wordpress.org/arnaudbroes/), [Chris Van Patten](https://profiles.wordpress.org/chrisvanpatten/),
[Daniel Richards](https://profiles.wordpress.org/talldanwp/), [DhrRob](https://profiles.wordpress.org/dhrrob/),
[Dono12](https://profiles.wordpress.org/dono12/), [dudo](https://profiles.wordpress.org/dudo/),
[ehtis](https://profiles.wordpress.org/ehti/), [Ella van Durpe](https://profiles.wordpress.org/ellatrix/),
[Garrett Hyder](https://profiles.wordpress.org/garrett-eclipse/), [Ian Belanger](https://profiles.wordpress.org/ianbelanger/),
[Ipstenu (Mika Epstein)](https://profiles.wordpress.org/ipstenu/), [Jake Spurlock](https://profiles.wordpress.org/whyisjake/),
[Jb Audras](https://profiles.wordpress.org/audrasjb/), [John Blackbourn](https://profiles.wordpress.org/johnbillion/),
[John James Jacoby](https://profiles.wordpress.org/johnjamesjacoby/), [Jonathan Desrosiers](https://profiles.wordpress.org/desrosj/),
[Jorge Costa](https://profiles.wordpress.org/jorgefilipecosta/), [K. Adam White](https://profiles.wordpress.org/kadamwhite/),
[Kelly Choyce-Dwan](https://profiles.wordpress.org/ryelle/), [MarkRH](https://profiles.wordpress.org/markrh/),
[mattyrob](https://profiles.wordpress.org/mattyrob/), [Miguel Fonseca](https://profiles.wordpress.org/mcsf/),
[Mohammad Jangda](https://profiles.wordpress.org/batmoo/), [Mukesh Panchal](https://profiles.wordpress.org/mukesh27/),
[Nick Daugherty](https://profiles.wordpress.org/nickdaugherty/), [noahtallen](https://profiles.wordpress.org/noahtallen/),
[Paul Biron](https://profiles.wordpress.org/pbiron/), [Peter Westwood](https://profiles.wordpress.org/westi/),
[Peter Wilson](https://profiles.wordpress.org/peterwilsoncc/), [pikamander2](https://profiles.wordpress.org/pikamander2/),
[r-a-y](https://profiles.wordpress.org/r-a-y/), [Riad Benguella](https://profiles.wordpress.org/youknowriad/),
[Robert Anderson](https://profiles.wordpress.org/noisysocks/), [Samuel Wood (Otto)](https://profiles.wordpress.org/otto42/),
[Sergey Biryukov](https://profiles.wordpress.org/sergeybiryukov/), [Søren Brønsted](https://profiles.wordpress.org/sorenbronsted/),
[Stanimir Stoyanov](https://profiles.wordpress.org/sstoqnov/), [tellthemachines](https://profiles.wordpress.org/isabel_brison/),
[Timothy Jacobs](https://profiles.wordpress.org/timothyblynjacobs/), [Toro_Unit (Hiroshi Urabe)](https://profiles.wordpress.org/toro_unit/),
[treecutter](https://profiles.wordpress.org/treecutter/), and [yohannp](https://profiles.wordpress.org/yohannp/).

For more information, [browse the full list of changes on Trac](https://core.trac.wordpress.org/query?status=closed&resolution=fixed&milestone=5.4.1&order=priority).

## 󠀁[List of Files Revised](https://wordpress.org/documentation/wordpress-version/version-5-4-1/?output_format=md#list-of-files-revised)󠁿

    ```wp-block-preformatted
    /wp-admin/css/about.css
    /wp-admin/css/edit.css
    /wp-admin/freedoms.php
    /wp-admin/images/w-logo-blue.png
    /wp-admin/includes/deprecated.php
    /wp-includes/assets/script-loader-packages.php
    /wp-includes/blocks/rss.php
    /wp-includes/blocks/search.php
    /wp-includes/cache.php
    /wp-includes/class-wp-customize-manager.php
    /wp-includes/class-wp-object-cache.php
    /wp-includes/class-wp-query.php
    /wp-includes/css/media-views.css
    /wp-includes/deprecated.php
    /wp-includes/formatting.php
    /wp-includes/post.php
    /wp-includes/rest-api/endpoints/class-wp-rest-controller.php
    /wp-includes/rest-api/endpoints/class-wp-rest-revisions-controller.php
    /wp-includes/taxonomy.php
    /wp-includes/user.php
    /wp-includes/version.php
    /wp-mail.php
    /wp-settings.php
    ```

## 󠀁[Updated packages](https://wordpress.org/documentation/wordpress-version/version-5-4-1/?output_format=md#updated-packages)󠁿

    ```wp-block-preformatted
    @wordpress/block-directory: 1.5.8
    @wordpress/block-editor: 3.7.8
    @wordpress/block-library: 2.14.8
    @wordpress/edit-post: 3.13.10
    @wordpress/editor: 9.12.8
    @wordpress/format-library: 1.14.8
    ```

First published

April 29, 2020

Last updated