WordPress 5.5.2 has been released and it contains ten security issues affecting WordPress version 5.5.1 and earlier. If you haven’t yet updated to 5.5, all previous WordPress versions since 3.7 have also been updated to fix the following security issues:
- Alex Concha of the WordPress Security Team helped with the hardening of deserialization requests.
- David Binovec worked on a fix to disable spam embeds from disabled sites on a multisite network.
- Marc Montas reported an issue that could lead to XSS from global variables.
- Justin Tran reported an issue surrounding privilege escalation in XML-RPC. He also reported an issue around privilege escalation around post commenting via XML-RPC.
- Omar Ganiev reported a method where a Denial of Service attack could lead to Remote Code Execution (RCE).
- Karim El Ouerghemmi reported a method to store XSS in post slugs.
- Slavco and Karim El Ouerghemmi reported and fixed a method to bypass protected meta that could lead to arbitrary file deletion.
- Erwan LR from WPScan reported a method that could lead to CSRF
- @zieladam who was integral in many of the releases and patches