The core WordPress team released version 5.2.4 of WordPress on October 14. The release addresses six security issues that were all privately reported through WordPress’ responsible disclosure procedure.

Like any security release, users should update immediately to the latest version to keep their sites secure.

For those with automatic updates enabled, the new version is already rolling out to sites. All major branches of WordPress from version 3.7 to 5.2 received the new security fixes. If automatic updates are not enabled, users should update from the “Updates” screen under “Dashboard” in the WordPress admin. Otherwise, users can download WordPress from the release archive and manually run an update to make sure their site is not at risk to what are now publicly-known vulnerabilities.

In the release announcement, the following security issues were noted. They were corrected in all updated versions.

  • Stored cross-site scripting (XSS) could be added from the Customizer screen.
  • An issue that allowed stored XSS to inject JavaScript into