WordPress 5.2.4 security release has been announced

WordPress 5.2.4 is now available! This security release fixes 6 security issues.

WordPress versions 5.2.3 and earlier are affected by these bugs, which are fixed in version 5.2.4. Updated versions of WordPress 5.1 and earlier are also available for any users who have not yet updated to 5.2.

The following security vulnerabilities have been detected and addressed in this release:

• An issue where stored XSS (cross-site scripting) could be added via the Customizer.
• A method of viewing unauthenticated posts.
• A way to create a stored XSS to inject Javascript into style tags.
• A method to poison the cache of JSON GET requests via the Vary: Origin header.
• A server-side request forgery in the way that URLs are validated.
• Issues related to referrer validation in the admin.

For more info, browse the full list of changes on Trac or check out the Version 5.2.4 documentation page.

WordPress 5.2.4 is a short-cycle security release. The next major release will be version 5.3.

You can download WordPress 5.2.4 or visit Dashboard → Updates and click Update Now. Sites that support automatic background updates have already started to update automatically.

https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release