Security and Maintenance Release: WordPress 5.2.3

WP Site Dr TeamMaintenance Release, Urgent Security Release

WordPress 5.2.3 is now available!

This security and maintenance release features 29 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.

These bugs affect WordPress versions 5.2.2 and earlier; version 5.2.3 fixes them, so you’ll want to upgrade.

If you haven’t yet updated to 5.2, there are also updated versions of 5.0 and earlier that fix the bugs for you.

Security Updates

  • Props to Simon Scannell of RIPS Technologies for finding and disclosing two issues. The first, a cross-site scripting (XSS) vulnerability found in post previews by contributors. The second was a cross-site scripting vulnerability in stored comments.
  • Props to Tim Coen for disclosing an issue where validation and sanitization of a URL could lead to an open redirect.
  • Props to Anshul Jain for disclosing reflected cross-site scripting during media uploads.
  • Props to Zhouyuan Yang of Fortinet’s FortiGuard Labs who disclosed a vulnerability for cross-site scripting (XSS) in shortcode previews.
  • Props to Ian Dunn of the Core Security Team for finding and disclosing a case where reflected cross-site scripting could be found in the dashboard.
  • Props to Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting (XSS) attacks.
  • In addition to the above changes, we are also updating jQuery on older versions of WordPress. This change was added in 5.2.1 and is now being brought to older versions.

For more info, check out the Version 5.2.3 documentation page.

WordPress 5.2.3 is a short-cycle maintenance release.

You can browse the full list of changes on below.

Ticket Summary Owner Type Priority Component Version
#38415 New Custom Link menu item has a wrong fallback label afercia defect (bug) normal Menus 4.5
#45739 Block Editor: $editor_styles bug. pento defect (bug) normal Editor 5.0.2
#45935 A URL in do_block_editor_incompatible_meta_box function does not have classic-editor__forget parameter pento defect (bug) normal Editor 5.0
#46757 Media Trash: The Bulk Media options when in the Trash shouldn’t provide two primary buttons afercia defect (bug) normal Media
#46758 Media Trash: Primary button(s) should be on the left afercia defect (bug) normal Media
#46899 Ensure that tables generated by the Settings API have no semantics SergeyBiryukov defect (bug) normal Administration
#47079 Incorrect version for excerpt_allowed_blocks filter desrosj defect (bug) normal General 5.0
#47113 Media views: dismiss notice button is invisible afercia defect (bug) normal Media
#47145 Feature Image dialog does not follow the dialog pattern afercia defect (bug) normal Administration
#47190 Twenty Seventeen: Native audio and video embeds have no focus state. SergeyBiryukov defect (bug) normal Bundled Theme 5.0
#47340 Twenty Nineteen: Revise Latest Posts block styles to support post content options. SergeyBiryukov defect (bug) normal Bundled Theme
#47386 Fix headings hierarchy in the legacy Custom Background and Custom Header pages afercia defect (bug) normal Themes
#47390 Improve accessibility of forms elements within some “form-table” forms afercia defect (bug) normal Administration
#47414 Twenty Seventeen: Button block preview has extra spacing within button SergeyBiryukov defect (bug) normal Bundled Theme
#47458 Fix tab sequence order in the Media attachment browser afercia defect (bug) normal Media
#47489 Emoji are substituted in preformatted blocks pento defect (bug) normal Emoji
#47502 Media modal bottom toolbar cuts-off content in Internet Explorer 11 afercia defect (bug) normal Media
#47538 Minor Verbiage Update – Switch ‘developer time’ for ‘a developer’ desrosj enhancement normal Help/About 5.2
#47543 Twenty Seventeen: buttons don’t change color on hover and focus SergeyBiryukov defect (bug) normal Bundled Theme 5.2.1
#47561 Plugin: View details popup layout issue afercia defect (bug) normal Plugins 5.2.2
#47603 My account toggle on admin bar not visible at high zoom levels isabel_brison defect (bug) normal Toolbar
#47604 Undefined variable: locked in wp-admin/edit-form-blocks.php azaozz defect (bug) normal Editor 5.0
#47687 Use alt tags for gallery images in editor afercia enhancement normal Media 5.2.2
#47688 Color hex code in color picker displayed in RTL instead of LTR on RTL install (take 2) SergeyBiryukov defect (bug) normal Customize
#47693 customizer Color picker should get closed when click on color picker area. afercia defect (bug) normal Customize 4.9
#47723 Adding a custom link in nav-menus.php doesn’t trim whitespace audrasjb defect (bug) normal Menus
#47758 Font sizes on installation screen are too small SergeyBiryukov defect (bug) normal Upgrade/Install
#47835 PHP requirement always set to null for plugins SergeyBiryukov defect (bug) normal Site Health 5.2
#47888 Adding a custom link in menu via Customize doesn’t trim whitespace. audrasjb defect (bug) normal Menus
#47923 5.2.3 About Page Updates desrosj task (blessed) normal Help/About

Thanks and props!

This release brings together contributions from more than 62 other people. Thank you to everyone who made this release possible!

Adam SilversteinAlex ConchaAlex GollerAndrea FerciaAndrew DuthieAndrew OzzAndy FragenAshish ShuklaAslam Shekhbackermann1978Catalin DogaruChetan PrajapatiChris ApreaChristoph Herr[email protected]Daniel LlewellyndonmhicoElla van DurpeepiquerasFencer04flaviozavanGarrett HyderGary Pendergastgqevu6bsizHardik ThakkarIan BelangerIan DunnJake SpurlockJb AudrasJeffrey PauljikamensJohn BlackbournJonathan DesrosiersJorge Costa, karlgrovesKjell ReigstadlaurelfulfordMaje Media LLCMartin SpatovaliyskiMary BaumMonika RaoMukesh Panchalnayana123Ned ZimmermanNick DaughertyNilambar SharmanmenescardiPaul Vincent BeigangPedro MendonçaPeter WilsonSergey BiryukovSergey PredvoditelevSharaz ShahidStanimir StoyanovStefano MinoiaTammie ListertellthemachinestmatsuurVaishali PanchalvortfuWill West, and yarnboy.