Updating WordPress<\/a><\/li><\/ul>\n\n\n\nIf you are new to WordPress, we recommend that you begin with the following:<\/p>\n\n\n\n
- New To WordPress \u2013 Where to Start<\/a><\/li>
- First Steps With WordPress<\/a> or Upgrading WordPress Extended<\/a><\/li>
- WordPress Lessons<\/a><\/li><\/ul>\n\n\n\n
Summary<\/h2>\n\n\n\nSecurity updates<\/h3>\n\n\n\n
Five security issues affect WordPress versions 5.4 and earlier; version 5.4.2 fixes them, so you\u2019ll want to upgrade. If you haven\u2019t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the security issues.<\/p>\n\n\n\n
- Props to Sam Thomas (jazzy2fives) for finding an XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor<\/li>
- Props to Luigi \u2013 (gubello.me) for discovering an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files.<\/li>
- Props to Ben Bidner of the WordPress Security Team for finding an open redirect issue in\u00a0wp_validate_redirect()<\/em><\/li>
- Props to\u00a0Nrimo Ing Pandum<\/a>\u00a0for finding an authenticated XSS issue via theme uploads<\/li>
- Props to\u00a0Simon Scannell of RIPS Technologies<\/a>\u00a0for finding an issue where\u00a0set-screen-option<\/em>\u00a0can be misused by plugins leading to privilege escalation<\/li>
- Props to\u00a0Carolina Nymark<\/a>\u00a0for discovering an issue where comments from password-protected posts and pages could be displayed under certain conditions.<\/li><\/ul>\n\n\n\n
Maintenance updates<\/h3>\n\n\n\n
WordPress 5.4.2 features 22 bug and regression fixes<\/a> on both core and default themes.<\/p>\n\n\n\n- 49956<\/a> \u2013 Spammers able to share unmoderated comments (see related devnote below)<\/strong><\/li>
- 49749<\/a> \u2013 Registering rest routes with a slash-prefixed namespace give inconsistent results<\/li>
- 49798<\/a> \u2013 Default WordPress favicon in dark mode browsers<\/li>
- 49808<\/a> \u2013 WordPress 5.4: Deprecated: tag_row_actions is deprecated since version 3.0.0<\/li>
- 50121<\/a> \u2013 About page: correcting the order of headings<\/li>
- 50131<\/a> \u2013 Absent custom favicon triggers wp-admin .htaccess\/.htpasswd prompt on frontend in FIrefox<\/li>
- 49353<\/a> \u2013 button padding issue in edit plug on small device<\/li>
- 37926<\/a> \u2013 Twenty Eleven & Twenty Twelve: Dropdown category widget exceeds parent div when strings are long enough<\/li>
- 45865<\/a> \u2013 Twenty Nineteen: Consider decreasing the font size for widget titles<\/li>
- 48803<\/a> \u2013 Twenty Twenty: Custom post type that doesn\u2019t support author, shows author<\/li>
- 48916<\/a> \u2013 Twenty Twenty: anchor links don\u2019t work in mobile menu<\/li>
- 49088<\/a> \u2013 Twenty Twenty: Add icon for g.page links (Google business profile)<\/li>
- 49316<\/a> \u2013 Twenty Twenty missed license for images.<\/li>
- 49320<\/a> \u2013 Twenty Twenty: aligncenter>figcaption missing text-align: center; feature<\/li>
- 49322<\/a> \u2013 Twenty Twenty: Submenu items disappear underneath the Cover block<\/li>
- 49435<\/a> \u2013 Twenty Twenty: inconsistent top and bottom margins for .alignwide and .alignfull on Chrome vs Safari (cross browser issue)<\/li>
- 49699<\/a> \u2013 Twenty Nineteen: Center- and right-aligned heading accents appear broken<\/li>
- 49793<\/a> \u2013 Twenty Twenty: Images in list blocks are not positioned correctly<\/li>
- 49893<\/a> \u2013 TwentyTwenty: TikTok and ResearchGate Social Icons<\/li>
- 49932<\/a> \u2013 Small Typo in Twenty-Twenty<\/li><\/ul>\n\n\n\n
Thank you to everyone who contributed to WordPress 5.4.2:<\/strong><\/p>\n\n\n\nAndrea Fercia<\/a>, argentite<\/a>, M Asif Rahman<\/a>, Jb Audras<\/a>, Ayesh Karunaratne<\/a>, bdcstr<\/a>, Delowar Hossain<\/a>, Rob Migchels<\/a>, donmhico<\/a>, Emilie LEBRUN<\/a>, finomeno<\/a>, garethgillman<\/a>, Giorgio25b<\/a>, Gabriel Maldonado<\/a>, Hector F<\/a>, Ian Belanger<\/a>, Mathieu Viet<\/a>, Javier Casares<\/a>, Joe McGill<\/a>, jonkolbert<\/a>, Jono Alderson<\/a>, Joy<\/a>, Tammie Lister<\/a>, Kjell Reigstad<\/a>, KT<\/a>, markusthiel<\/a>, Mayank Majeji<\/a>, Mel Choyce-Dwan<\/a>, mislavjuric<\/a>, Mukesh Panchal<\/a>, Nikhil Bhansi<\/a>, oakesjosh<\/a>, Dominik Schilling<\/a>, Arslan Ahmed<\/a>, Peter Wilson<\/a>, Carolina Nymark<\/a>, Stephen Bernhardt<\/a>, Sam Fullalove<\/a>, Alain Schlesser<\/a>, Sergey Biryukov<\/a>, skarabeq<\/a>, Toni Viemer\u00f6<\/a>, suzylah<\/a>, Timothy Jacobs<\/a>, TeBenachi<\/a>, Jake Spurlock<\/a> and yuhin<\/a>.<\/p>\n\n\n\nFor more information, browse the full list of changes on Trac<\/a>.<\/p>\n\n\n\n