WordPress security release 5.4.1 announced

This security and maintenance release features 17 bug fixes in addition to 7 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.4.1 is a short-cycle security and maintenance release. The next major release will be version 5.5.

You can download WordPress 5.4.1 by downloading from WordPress.org, or visit your Dashboard → Updates and click Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

Seven security issues affect WordPress versions 5.4 and earlier. If you haven’t yet updated to 5.4, all WordPress versions since 3.7 have also been updated to fix the following security issues:

• An issue where password reset tokens were not properly invalidated
• An issue where certain private posts can be viewed unauthenticated
• An XSS issue in the Customizer
• An XSS issue in the search block
• An XSS issue in wp-object-cache
• An XSS issue in file uploads.
• A stored XSS vulnerability in the WordPress customizer.
• An authenticated XSS issue in the block editor was discovered the Duc in WordPress 5.4 RC1 and RC2. It was fixed in 5.4 RC5.

For more information, browse the full list of changes on Trac, or check out the version 5.4.1 HelpHub documentation page.