WordPress 5.5.2 Security and Maintenance Release

WordPress 5.5.2 Security and Maintenance

This security and maintenance release features 14 bug fixes in addition to 10 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.5.2 is a short-cycle security and maintenance release. The next major release will be version 5.6.

You can download WordPress 5.5.2 by downloading from WordPress, or visit your Dashboard → Updates and click Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

Ten security issues affect WordPress versions 5.5.1 and earlier. If you haven’t yet updated to 5.5, all WordPress versions since 3.7 have also been updated to fix the following security issues:

  • in hardening deserialization requests.
  • on a fix to disable spam embeds from disabled sites on a multisite network.
  • an issue that could lead to XSS from global variables.
  • an issue surrounding privilege escalation in XML-RPC. He also found and disclosed an issue around privilege escalation around post commenting via XML-RPC.
  • a method where a DoS attack could lead to RCE.
  • a method to store XSS in post slugs.
  • a method to bypass protected meta that could lead to arbitrary file deletion.
  • a method that could lead to CSRF.
  • in many of the releases and patches during this release.

This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked.

For more information, browse the full list of changes on Trac, or check out the version 5.5.2 HelpHub documentation page.

The full list of changes:

  • Administration
    • Theme editor page showing undefined variable notice
  • Build/Test Tools
    • Set the local environment to a development environment type by default
  • Comments
    • Wrong reply box title
    • PHP warning when editing comments in the administration comment edit screen 5.5.2 SergeyBiryukov defect (bug) closed normal
  • Date/Time
    • Events displayed in venue timezone instead of user's
    • Posts show wrong time when user is in a different time zone than the site's
  • Editor
    • Update Gutenberg Dependencies for WordPress 5.5.2
  • Embeds
    • Remove Facebook and Instagram as an oEmbed Source
    • Video Embeds set to aligh left disappear in Gutenberg editor
  • General
    • Undefined index: echo in core files
  • Help/About
    • Update the About page for 5.5.2
  • Media
    • Fix PHP notice when opening the edit image popup
  • Posts, Post Types
    • PHP Notice while moving post to trash (post_type has 2 registered taxonomies both with default_term set)
  • Upgrade/Install
    • Undefined index during automatic plugin/theme updates
  • XML-RPC
    • Unable to make anonymous comments via XML-RPC