WordPress 5.4.1 Addresses 7 Security Issues and Fixes Several Bugs

WordPress 5.4.1, a security and maintenance release, dropped today. The release addresses seven security issues, which were all responsibly disclosed to the WordPress security team. Core developers also included several fixes for code regressions in the previous version 5.4 release and ported bug fixes to the block editor from the Gutenberg plugin.

End-users with automatic updates enabled should begin seeing their sites updated shortly. Other users should update as soon as possible to make sure they are running a version of WordPress with the latest security fixes.

The WordPress support team has published the full release documentation for those who wish to view it.

Security fixes were added to every major version of WordPress from 5.4 back to 3.7. The following vulnerabilities were addressed:

  • Password reset tokens were not correctly invalidated.
  • Some private posts could be viewed without authentication.
  • Two cross-site scripting (XSS) vulnerabilities in the customizer.
  • XSS issue in the search block.
  • XSS issue in the WordPress object cache.
  • XSS issue with file uploads.
  • XSS issue in the block editor for WordPress 5.4 Release Candidates 1 and 2 (fixed in 5.4 RC5).

Block Editor Updates

Several fixes were high priority enough from the Gutenberg plugin to port to the WordPress 5.4.1 release. The biggest user-facing issues were a broken block duplication keyboard shortcut, misaligned buttons blocks, and odd scrolling behavior when attempting to edit text in a long block.

The following is a full list of the issues the development team addressed:

  • Fixed the Ctrl + Shift + D keyboard shortcut for duplicating a block, which no longer throws an error.
  • Adds correct margins when aligning the buttons block left or right.
  • Prevents the editor from scrolling to the top when clicking to edit a large block, such as a long list.
  • No longer hides the toolbar for plugins that have text inputs in the toolbar.
  • Stops a JavaScript crash with the latest posts block when an image has missing dimensions.
  • Escapes the HTML class for the RSS and search blocks to prevent malformed markup.

To review the code changes to the block editor in-depth, see the full ticket list.

Other Core WordPress Changes

Users who run their browsers in dark mode can rejoice if they also use the core WordPress favicon. The team introduced an updated favicon with a light background so that it no longer washes out. It is a minor fix but makes the famed WordPress logo look more professional.

The heading level, which was previously set to <h3>, has been bumped up one level on the WordPress admin freedoms screen (wp-admin/freedoms.php). This change provides the proper heading level and should help screen-reading users better navigate the page.

For users on the Edge or iOS Safari browsers who could not select files in the media library, it was due to a CSS issue that hid the input. This should no longer be an issue in the new update.

WordPress 5.4.1 addressed some regressions from the previous version. One revolves around posting by email when no post title was added. In that scenario, the email subject should have been used as the title, but this was broken by a code change in WordPress 5.4. For developers, the category_link and tag_link filter hooks were mistakenly deprecated previously and are now once again good to use without throwing a notice.

Plugin developers have a few bug fixes to look forward to. The WP_Site_Health object is now instantiated after the plugins_loaded and after_setup_theme hooks, which means they can perform necessary actions before the site health is checked. The deprecated wp_get_user_request_data() function is now correctly loaded on the front end, which was causing errors with plugins such as BuddyPress.

In a larger design change, plugin authors who add custom content to the privacy policy guide can use more HTML elements. In WordPress 5.4, the guide design was updated to add a white background behind the suggested text. However, the new code only applied to paragraphs. Now, the design supports tables, lists, and other elements that are commonly used. Unordered lists also have bullet points to distinguish them from paragraphs.

The development team fixed two issues with the REST API. The first corrected an issue with the get_item permissions check. The second fixed the _fields filtering. The core code now uses the rest_is_field_included() function to determine which fields to include to permit filtering by nested field properties.

9

9 responses to “WordPress 5.4.1 Addresses 7 Security Issues and Fixes Several Bugs”

  1. Virginia Wilson says:

    Do I want to go ahead and update to 5.4.1 since I just updated to 5.4 yesterday? And also is it still necessary to clear the cache daily if we’ll be posting a lot? I was thinking I should clear the cache, update to 5.4.1, clear the cache again; does this sound correct? We don’t want to lose recent additions made to the website content however. Just making sure this won’t effect plug-ins, etc. Thanks for any forthcoming responses.

    Report

    • Because this is a security update, you should absolutely update as soon as possible.

      As for caching, I would recommend clearing your cache after updating. It is probably unnecessary, but it wouldn’t hurt. You can always check with your caching plugin author for their advice.

      The update shouldn’t affect any plugins that are already running fine on 5.4, but if you’re worried about that, you should ask your web host about setting up a staging site for you to test the update on, which is basically just a duplicate of your real (production) site.

      Report

  2. K j. says:

    Noticed my gt metrix score jumped considerably after the update.

    Report

  3. Yes, The new update has speed up my blog and now its loading very fast. Hapy to see the improvement.

    Report

  4. propio says:

    I cant see how add new plugins in wordpress 5.4.1 can you help me

    I only installed plugins can you help me please

    Report

  5. Frank Ibitayo says:

    Please one of my wordpress websites is displaying ” Error Establishing Database connection” Please what can be done to restore this? I need help

    Report

  6. Tina says:

    The update caused an error when I try to edit my pages. Do you have a resolve for this?

    Report

Newsletter

Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: