October 14, 2019, WordPress 5.2.4 has been released addressing 6 security issues. Users should update immediately to the latest version to keep their sites secure.
WordPress versions 5.2.3 and earlier are affected by these bugs, which are fixed in version 5.2.4. Updated versions of WordPress 5.1 and earlier are also available for any users who have not yet updated to 5.2. Websites with automatic updates enabled should already have rolled out to new version. But if automatic updates are not enabled on your sites, then you should update from the “Updates” screen under “Dashboard” in the WP admin.
Official release announcement can be found here. Below are the security issues which have been corrected in all updated versions:
- Stored cross-site scripting (XSS) could be added from the Customizer screen.
- A bug that allowed unauthenticated posts to be viewed.
- A method to use the Vary: Origin header to poison the cache of JSON GET requests (REST API).
- A server-side request forgery (SSRF) with how URLs are validated.
- Issues with referrer validation in the WordPress admin.
For more info, browse the full list of changes on Trac or for developers interested to dive more into code changes, changes are available on Github or check out the Version 5.2.4 documentation page. WordPress 5.2.4 is a short-cycle security release. The next major release will be version 5.3.