WordPress 5.4.2 Fixes Several XSS Vulnerabilities, Update Now

Have you updated your WordPress to version 5.4.2? If you haven’t, consider doing it as soon as possible, as the update contains 23 fixes and enhancements, and specifically 6 security fixes, 3 of which address XXS, or cross-site scripting vulnerabilities.

Security fixes in WordPress Version 5.4.2

The first XSS vulnerability addressed in the latest version of WordPress could have allowed authenticated users with low privileges to add JavaScript to posts in the block editor.

The vulnerability could enable an attacker to inject JavaScript into a post by manipulating the attributes of Embedded iFrames. Users with the edit_posts capability, or users with the Contributor role or higher in most configurations, could be able to leverage the issue, Wordfence researchers say.

The second XSS flaw could allow authenticated users with upload permissions (upload_files capability) to add JavaScript to media files. In other words, attackers could be able to inject JavaScript code into the “Description” field of an uploaded media file. This includes users with the Author role or higher.


Also, Read 130M Attacks Try to Steal Database Credentials from 1.3M WordPress Sites


The third authenticated XSS bug could allow attackers to inject JavaScript into the stylesheet of a broken WordPress theme. The code would then be executed if another user opens the Appearance -> Themes page. This vulnerability could be exploitable by users with the install_themes or edit_themes capabilities, available to administrators in most configurations, Wordfence warns.

What other security bugs were fixed in WordPress Version 5.4.2?

– An open redirect issue in wp_validate_redirect();
– An issue where set-screen-option can be misused by plugins leading to privilege escalation;
– An issue where comments from password-protected posts and pages could be displayed under certain conditions.

The good news is that most of these issues can be exploited only under specific, limited conditions or by trusted users. Nonetheless, updating to the latest version is highly recommended. Note that since this is a minor WordPress release, most websites will automatically update to version 5.4.2.

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.