Core version WordPress 5.4.2 has been released recently in June 2020 and the release is reckoned as a combined bug and security fix update. So, if you have not updated your old core version yet, then it is suggested to update it immediately. Most of the security fixes in the latest update are for the vulnerabilities and, hence, need certain situations to exploit. In the latest release, there are six security fixes, of which three are for Core Site Scripting or XSS vulnerabilities.

Both premium and free version of Wordfence comprises of vigorous built-in XSS vulnerabilities that safeguard it from potential exploitation. Below is the breakdown of each security issue that is fixed after the release. You may seek the help of a digital marketing company in Gurgaon to update your old version to the latest core version.

  • “The XSS Issue where Authenticated Users with Low Privileges can Add JavaScript to Posts in Block Editor.” 

This issue was discovered by Sam Thomas, and this issue enables the attackers to insert JavaScript into any post by easily maneuvering the characteristics of Embedded iFrames. It is exploitable by the users with “edit_posts” ability, and it means users with contributor role or above in most configurations.

  • XSS Issue Where Authenticated Users with Upload Permissions Become Capable of Adding JavaScript to Media Files

This issue allows the attackers to insert JavaScript into the “Description” field of media files. It is exploitable by users with the ability of upload_files, which means the users with Author role or above in most configurations.

  • Open Direct issue in Wp_Validate_Redirect

In this issue, the wp_validate_redirect feature lacks in sanitizing the URLs sufficiently that are supplied to it. The attackers also design links to impact the site and redirect the visitors to some suspicious external site. It requires no special abilities, but it demands social engineering or separate vulnerability in theme and plugin for exploitation.

  • Authenticated XSS issue via Theme Uploads

Because of this issue, the attackers can easily insert JavaScript into the stylesheet name of the broken theme. It is then executed when another user visits the Appearance-Theme page on the website. This issue is exploitable by the users with edit_themes and install_themes abilities, which are only accessible to administrators in most of the configurations.

  • Issues where Set-Screen-Option is misused by Plugins Leading to Privilege Escalation

Because of this issue, the incorrectly used plugins with set-screen-option filters are used by attackers to obtain administrative access. Still, no plugins are found that are susceptible to this issue.

  • Comments from Password Protected Pages and Posts are Displayed under Specific Conditions     

In this issue, the comments from all password-protected posts and pages are visible on sites that display recent comment widgets or use the theme or plugins with the same functions.

What Steps to Take?

The majority of these vulnerabilities only appear or exploitable under specific situations or by trusted users. But by updating your old core version of WordPress with the new core release WordPress 5.4.2; all these issues can be well addressed. Attackers are finding new ways to exploit them, and researchers who have found these vulnerabilities publish Proof of Concept code that leads to easy exploitation. Since WordPress 5.4.2 is the minor release, most of the WordPress blogs and sites will get updated automatically.

Along with the latest release, one more maintenance update has been deployed, and you need to check it out online from the official site of WordPress 5.4.2. This release is the short cycle maintenance release, and the next major core release would be version WordPress 5.5.

What’s New in WordPress 5.4.2?

The WordPress 5.4.2 core version release also focuses on enhancing the block editor by integrating new features and expanding existing blocks. It is a great relief for the content developers as they are allowed to do more with blocks into their content editor tool. The new core version update will come with a new welcome guide pop-up that will educate the beginners about the editor block. It is the slide show that explains the points and blocks.


The WordPress core team and researchers are consistently working and responsibly finding vulnerabilities so that resolutions can be discovered and WordPress, safer software to use. Anyone can find the official announcement of WordPress 5.4.2 release from its official website. You may contact the customer service team if you have any questions or queries related to the latest update and release.

If you are one of the researchers and want to provide additional details, contact the core team, and WordPress would promptly fix all bugs efficiently. It is important to take a backup and update to latest version WordPress 5.4.2 to prevent the possible vulnerabilities of security attacks. So, seek the help of an experienced SEO services company in Gurgaon to update your WordPress today to enjoy these security fixes.