Security and Maintenance Release: WordPress 5.2.3

WordPress 5.2.3 is now available!

This security and maintenance release features 29 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.

These bugs affect WordPress versions 5.2.2 and earlier; version 5.2.3 fixes them, so you’ll want to upgrade.

If you haven’t yet updated to 5.2, there are also updated versions of 5.0 and earlier that fix the bugs for you.

Security Updates

• Props to Simon Scannell of RIPS Technologies for finding and disclosing two issues. The first, a cross-site scripting (XSS) vulnerability found in post previews by contributors. The second was a cross-site scripting vulnerability in stored comments.
• Props to Tim Coen for disclosing an issue where validation and sanitization of a URL could lead to an open redirect.
• Props to Anshul Jain for disclosing reflected cross-site scripting during media uploads.
• Props to Zhouyuan Yang of Fortinet’s FortiGuard Labs who disclosed a vulnerability for cross-site scripting (XSS) in shortcode previews.
• Props to Ian Dunn of the Core Security Team for finding and disclosing a case where reflected cross-site scripting could be found in the dashboard.
• Props to Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting (XSS) attacks.
• In addition to the above changes, we are also updating jQuery on older versions of WordPress. This change was added in 5.2.1 and is now being brought to older versions.

For more info, check out the Version 5.2.3 documentation page.

WordPress 5.2.3 is a short-cycle maintenance release.

You can browse the full list of changes on below.

Ticket	Summary	Owner	Type	Priority	Component	Version
#38415	New Custom Link menu item has a wrong fallback label	afercia	defect (bug)	normal	Menus	4.5
#45739	Block Editor: $editor_styles bug.	pento	defect (bug)	normal	Editor	5.0.2
#45935	A URL in do_block_editor_incompatible_meta_box function does not have classic-editor__forget parameter	pento	defect (bug)	normal	Editor	5.0
#46757	Media Trash: The Bulk Media options when in the Trash shouldn’t provide two primary buttons	afercia	defect (bug)	normal	Media
#46758	Media Trash: Primary button(s) should be on the left	afercia	defect (bug)	normal	Media
#46899	Ensure that tables generated by the Settings API have no semantics	SergeyBiryukov	defect (bug)	normal	Administration
#47079	Incorrect version for excerpt_allowed_blocks filter	desrosj	defect (bug)	normal	General	5.0
#47113	Media views: dismiss notice button is invisible	afercia	defect (bug)	normal	Media
#47145	Feature Image dialog does not follow the dialog pattern	afercia	defect (bug)	normal	Administration
#47190	Twenty Seventeen: Native audio and video embeds have no focus state.	SergeyBiryukov	defect (bug)	normal	Bundled Theme	5.0
#47340	Twenty Nineteen: Revise Latest Posts block styles to support post content options.	SergeyBiryukov	defect (bug)	normal	Bundled Theme
#47386	Fix headings hierarchy in the legacy Custom Background and Custom Header pages	afercia	defect (bug)	normal	Themes
#47390	Improve accessibility of forms elements within some “form-table” forms	afercia	defect (bug)	normal	Administration
#47414	Twenty Seventeen: Button block preview has extra spacing within button	SergeyBiryukov	defect (bug)	normal	Bundled Theme
#47458	Fix tab sequence order in the Media attachment browser	afercia	defect (bug)	normal	Media
#47489	Emoji are substituted in preformatted blocks	pento	defect (bug)	normal	Emoji
#47502	Media modal bottom toolbar cuts-off content in Internet Explorer 11	afercia	defect (bug)	normal	Media
#47538	Minor Verbiage Update – Switch ‘developer time’ for ‘a developer’	desrosj	enhancement	normal	Help/About	5.2
#47543	Twenty Seventeen: buttons don’t change color on hover and focus	SergeyBiryukov	defect (bug)	normal	Bundled Theme	5.2.1
#47561	Plugin: View details popup layout issue	afercia	defect (bug)	normal	Plugins	5.2.2
#47603	My account toggle on admin bar not visible at high zoom levels	isabel_brison	defect (bug)	normal	Toolbar
#47604	Undefined variable: locked in wp-admin/edit-form-blocks.php	azaozz	defect (bug)	normal	Editor	5.0
#47687	Use alt tags for gallery images in editor	afercia	enhancement	normal	Media	5.2.2
#47688	Color hex code in color picker displayed in RTL instead of LTR on RTL install (take 2)	SergeyBiryukov	defect (bug)	normal	Customize
#47693	customizer Color picker should get closed when click on color picker area.	afercia	defect (bug)	normal	Customize	4.9
#47723	Adding a custom link in nav-menus.php doesn’t trim whitespace	audrasjb	defect (bug)	normal	Menus
#47758	Font sizes on installation screen are too small	SergeyBiryukov	defect (bug)	normal	Upgrade/Install
#47835	PHP requirement always set to null for plugins	SergeyBiryukov	defect (bug)	normal	Site Health	5.2
#47888	Adding a custom link in menu via Customize doesn’t trim whitespace.	audrasjb	defect (bug)	normal	Menus
#47923	5.2.3 About Page Updates	desrosj	task (blessed)	normal	Help/About

Thanks and props!

This release brings together contributions from more than 62 other people. Thank you to everyone who made this release possible!

Adam Silverstein, Alex Concha, Alex Goller, Andrea Fercia, Andrew Duthie, Andrew Ozz, Andy Fragen, Ashish Shukla, Aslam Shekh, backermann1978, Catalin Dogaru, Chetan Prajapati, Chris Aprea, Christoph Herr, [email protected], Daniel Llewellyn, donmhico, Ella van Durpe, epiqueras, Fencer04, flaviozavan, Garrett Hyder, Gary Pendergast, gqevu6bsiz, Hardik Thakkar, Ian Belanger, Ian Dunn, Jake Spurlock, Jb Audras, Jeffrey Paul, jikamens, John Blackbourn, Jonathan Desrosiers, Jorge Costa, karlgroves, Kjell Reigstad, laurelfulford, Maje Media LLC, Martin Spatovaliyski, Mary Baum, Monika Rao, Mukesh Panchal, nayana123, Ned Zimmerman, Nick Daugherty, Nilambar Sharma, nmenescardi, Paul Vincent Beigang, Pedro Mendonça, Peter Wilson, Sergey Biryukov, Sergey Predvoditelev, Sharaz Shahid, Stanimir Stoyanov, Stefano Minoia, Tammie Lister, tellthemachines, tmatsuur, Vaishali Panchal, vortfu, Will West, and yarnboy.