WordPress 5.3.2 Maintenance Release
Shortly after WordPress 5.3.1 was released, a couple of high severity Trac tickets were opened. The Core team scheduled this quick maintenance release to resolve these issues.
Main issues addressed in 5.3.2:
- Date/Time: Ensure that get_feed_build_date() correctly handles a modified post object with invalid date.
- Uploads: Fix file name collision in wp_unique_filename() when uploading a file with upper case extension on non case-sensitive file systems.
- Media: Fix PHP warnings in wp_unique_filename() when the destination directory is unreadable.
- Administration: Fix the colors in all color schemes for buttons with the .active class.
- Posts, Post Types: In wp_insert_post(), when checking the post date to set future or publish status, use a proper delta comparison.
See: WordPress 5.3.1 Security and Maintenance Release
Four security issues affect WordPress versions 5.3 and earlier; version 5.3.1 fixes them, so you’ll want to upgrade. If you haven’t yet updated to 5.3, there are also updated versions of 5.2 and earlier that fix the security issues.
- Props to Daniel Bachhuber for finding an issue where an unprivileged user could make a post sticky via the REST API.
- Props to Simon Scannell of RIPS Technologies for finding and disclosing an issue where cross-site scripting (XSS) could be stored in well-crafted links.
- Props to the WordPress.org Security Team for hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute.
- Props to Nguyen The Duc for discovering a stored XSS vulnerability using block editor content.
Please login to add feedback.