WordPress 5.3.1 Released – Several Security Vulnerabilities Are Fixed – Update Now

WordPress 5.3.1 released with security and maintenance based updates with 46 fixes and enhancements.

There are 4 security vulnerabilities fixed in this update that affects WordPress versions 5.3 and earlier.

The first one is a privilege escalation vulnerability that allows an unprivileged user could make a post sticky via the REST API.
The second one is Props to the WordPress.org Security Team for hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute.
There are two Cross-site scripts (XSS) vulnerabilities are fixed in this release, one could be stored in well-crafted links and the other one, a stored XSS vulnerability using block editor content.

WordPress announced that the WordPress 5.3.1 is a short-cycle maintenance release. The next major release will be version 5.4.

There are several maintenance updates are released including the following:

Administration: improvements to admin form controls height and alignment standardization (see related dev note), dashboard widget links accessibility and alternate color scheme readability issues (see related dev note).
Block editor: fix Edge scrolling issues and intermittent JavaScript issues.
Bundled themes: add customizer option to show/hide author bio, replace JS based smooth scroll with CSS (see related dev note) and fix Instagram embed CSS.
Date/time: improve non-GMT dates calculation, fix date format output in specific languages and make get_permalink() more resilient against PHP timezone changes.
Embeds: remove CollegeHumor oEmbed provider as the service doesn’t exist anymore.
External libraries: update sodium_compat.
Site health: allow the remind interval for the admin email verification to be filtered.
Uploads: avoid thumbnails overwriting other uploads when filename matches, and exclude PNG images from scaling after upload.
Users: ensure administration email verification uses the user’s locale instead of the site locale.