
Das Blogsystem WordPress erhielt ein Security und Bugfix Release in Version 5.4.2. Das Update schließt 6 Sicherheitslücken und entfernt über 20 Fehler.
WordPress 5.4.2 Release Notes
Security Fixes
Five security issues affect WordPress versions 5.4 and earlier; version 5.4.2 fixes them, so you’ll want to upgrade. If you haven’t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the security issues.
- Props to Sam Thomas (jazzy2fives) for finding an XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor
- Props to Luigi – (gubello.me) for discovering an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files.
- Props to Ben Bidner of the WordPress Security Team for finding an open redirect issue in wp_validate_redirect()
- Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme uploads
- Props to Simon Scannell of RIPS Technologies for finding an issue where set-screen-option can be misused by plugins leading to privilege escalation
- Props to Carolina Nymark for discovering an issue where comments from password-protected posts and pages could be displayed under certain conditions.
Bugfixes
- 49956 – Spammers able to share unmoderated comments (see related devnote below)
- 49749 – Registering rest routes with a slash-prefixed namespace give inconsistent results
- 49798 – Default WordPress favicon in dark mode browsers
- 49808 – WordPress 5.4: Deprecated: tag_row_actions is deprecated since version 3.0.0
- 50121 – About page: correcting the order of headings
- 50131 – Absent custom favicon triggers wp-admin .htaccess/.htpasswd prompt on frontend in FIrefox
- 49353 – button padding issue in edit plug on small device
- 37926 – Twenty Eleven & Twenty Twelve: Dropdown category widget exceeds parent div when strings are long enough
- 45865 – Twenty Nineteen: Consider decreasing the font size for widget titles
- 48803 – Twenty Twenty: Custom post type that doesn’t support author, shows author
- 48916 – Twenty Twenty: anchor links don’t work in mobile menu
- 49088 – Twenty Twenty: Add icon for g.page links (Google business profile)
- 49316 – Twenty Twenty missed license for images.
- 49320 – Twenty Twenty: aligncenter>figcaption missing text-align: center; feature
- 49322 – Twenty Twenty: Submenu items disappear underneath the Cover block
- 49435 – Twenty Twenty: inconsistent top and bottom margins for .alignwide and .alignfull on Chrome vs Safari (cross browser issue)
- 49699 – Twenty Nineteen: Center- and right-aligned heading accents appear broken
- 49793 – Twenty Twenty: Images in list blocks are not positioned correctly
- 49893 – TwentyTwenty: TikTok and ResearchGate Social Icons
- 49932 – Small Typo in Twenty-Twenty