WordPress 5.3.1 is now available! This security and maintenance release features 46 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.
WordPress 5.3.1 is a short-cycle maintenance release. The next major release will be version 5.4.
You can download WordPress 5.3.1 by clicking this link, or visit your WordPress website's Dashboard → Updates and click Update Now.
Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096
Project: Webform
Versions: 7.x-4.x, 7.x-3.x
Date: 2019-December-11
Security risk: Critical 15∕25
Vulnerability: Multiple vulnerabilitiesDescription
This module enables you to create forms to collect information from users and report, analyze and distribute it by email.
Project: Smart Trim
Version: 8.x-1.x
Date: 2019-December-11
Security risk: Moderately critical
Vulnerability: Cross site scriptingThe Smart Trim module allows site builders additional control with text summary fields.
The module doesn't sufficiently filter text when certain options are selected.
This vulnerability is mitigated by the fact that an attacker must have a role with the ability to create content on the site when certain options are selected for the trimmed output.
Projects: Multiple
Date: 2019-November-13
Security risk: Critical
Vulnerability: UnsupportedDrupal Security team released multiple security advisories earlier today, notifying the following contributed modules and themes have been marked as unsupported and therefore should be either fixed or uninstalled:
WordPress 5.3 with the improved block editor, named “Kirk” in honour of jazz multi-instrumentalist Rahsaan Roland Kirk, has been released today and is available for download or update in your dashboard.
5.3 expands and refines the block editor with more intuitive interactions and improved accessibility. New features in the editor increase design freedoms, provide additional layout options and style variations to allow designers more control over the look of a site.
Project: Open Social
Date: 2019-November-06
Security risk: Critical 15∕25
Vulnerability: Insecure Session Management
Open Social is a Drupal distribution for online communities. The included social_magic_login module doesn't sufficiently validate magic login URLs for user accounts that do not have a local password, but login via external systems. The lack of validation makes it possible for an adversary to forge valid login URLs and login to such an account.
Project: Booking and Availability Management Tools for Drupal
Date: 2019-October-16
Security risk: Moderately critical 11∕25
Vulnerability: Access BypassThe Bat module provides a foundation through which a wide range of availability management, reservation and booking use cases can be addressed.
The routes used to view events don't sufficiently guard access for non-privileged users. Specifically, a user with the 'View own' permission for bat events can view others' events as well.
WordPress 5.2.4 is now available! This security release fixes 6 security issues.
WordPress versions 5.2.3 and earlier are affected by these bugs, which are fixed in version 5.2.4. Updated versions of WordPress 5.1 and earlier are also available for any users who have not yet updated to 5.2.
The following security vulnerabilities have been detected and addressed in this release:
Type: Maintenance work
Category: Advanced infrastructure
Start: October 16, 2019 3:00 AM CEST
End: October 16, 2019 3:05 AM CESTIn the above mentioned period maintenance on our European data-center will be performed. During this maintenance, the affected servers and the websites hosted accounts on them will not be available for about five minutes.
AltaGrade clients who have their projects hosted on Germany-based AltaGrade servers.
Project: Maxlength
Date: 2019-October-09
Security risk: Moderately critical 13∕25
Vulnerability: Cross Site ScriptingThis module enables you to set a maximum length allowed on text fields and indicate how many characters are left.
The module doesn't sufficiently filter strings leading to a Cross Site Scripting (XSS) vulnerability.