WordPress 5.4.1 Addresses 7 Security Issues and Fixes Several Bugs

WordPress 5.4.1, a security and maintenance release, dropped today. The release addresses seven security issues, which were all responsibly disclosed to the WordPress security team. Core developers also included several fixes for code regressions in the previous version 5.4 release and ported bug fixes to the block editor from the Gutenberg plugin.

End-users with automatic updates enabled should begin seeing their sites updated shortly. Other users should update as soon as possible to make sure they are running a version of WordPress with the latest security fixes.

The WordPress support team has published the full release documentation for those who wish to view it.

Security fixes were added to every major version of WordPress from 5.4 back to 3.7. The following vulnerabilities were addressed:

• Password reset tokens were not correctly invalidated.
• Some private posts could be viewed without authentication.
• Two cross-site scripting (XSS) vulnerabilities in the customizer.
• XSS issue in the search block.
• XSS issue in the WordPress object cache.
• XSS issue with file uploads.
• XSS issue in the block editor for WordPress 5.4 Release Candidates 1 and 2 (fixed in 5.4 RC5).

Block Editor Updates

Several fixes were high priority enough from the Gutenberg plugin to port to the WordPress 5.4.1 release. The biggest user-facing issues were a broken block duplication keyboard shortcut, misaligned buttons blocks, and odd scrolling behavior when attempting to edit text in a long block.

The following is a full list of the issues the development team addressed:

• Fixed the Ctrl + Shift + D keyboard shortcut for duplicating a block, which no longer throws an error.
• Adds correct margins when aligning the buttons block left or right.
• Prevents the editor from scrolling to the top when clicking to edit a large block, such as a long list.
• No longer hides the toolbar for plugins that have text inputs in the toolbar.
• Stops a JavaScript crash with the latest posts block when an image has missing dimensions.
• Escapes the HTML class for the RSS and search blocks to prevent malformed markup.

To review the code changes to the block editor in-depth, see the full ticket list.

Other Core WordPress Changes

Users who run their browsers in dark mode can rejoice if they also use the core WordPress favicon. The team introduced an updated favicon with a light background so that it no longer washes out. It is a minor fix but makes the famed WordPress logo look more professional.

The heading level, which was previously set to <h3>, has been bumped up one level on the WordPress admin freedoms screen (wp-admin/freedoms.php). This change provides the proper heading level and should help screen-reading users better navigate the page.

For users on the Edge or iOS Safari browsers who could not select files in the media library, it was due to a CSS issue that hid the input. This should no longer be an issue in the new update.

WordPress 5.4.1 addressed some regressions from the previous version. One revolves around posting by email when no post title was added. In that scenario, the email subject should have been used as the title, but this was broken by a code change in WordPress 5.4. For developers, the category_link and tag_link filter hooks were mistakenly deprecated previously and are now once again good to use without throwing a notice.

Plugin developers have a few bug fixes to look forward to. The WP_Site_Health object is now instantiated after the plugins_loaded and after_setup_theme hooks, which means they can perform necessary actions before the site health is checked. The deprecated wp_get_user_request_data() function is now correctly loaded on the front end, which was causing errors with plugins such as BuddyPress.

In a larger design change, plugin authors who add custom content to the privacy policy guide can use more HTML elements. In WordPress 5.4, the guide design was updated to add a white background behind the suggested text. However, the new code only applied to paragraphs. Now, the design supports tables, lists, and other elements that are commonly used. Unordered lists also have bullet points to distinguish them from paragraphs.

The development team fixed two issues with the REST API. The first corrected an issue with the get_item permissions check. The second fixed the _fields filtering. The core code now uses the rest_is_field_included() function to determine which fields to include to permit filtering by nested field properties.