Last night (UK time), WordPress published its v5.2.4 security release, fixing several exploits including two XSS vulnerabilities within core modules. This has already been pushed to all Onyx sites with WordPress auto-updates enabled, but I’m aware that we have a significant subset of clients who prefer to check each update manually, so have this WordPress feature disabled. As this is a security release and is unlikely to break anything (only modifying a few files), we’d recommend implementing this update as soon as possible to keep your site protected. This has also been backported to previous WordPress versions as far back as 3.9, so whichever version of WordPress you’re running, consider your site ‘at-risk’ until it’s patched.
Why is this important, seeing as these exploits haven’t been seen ‘in the wild’ previously? The simple answer is that now the release has been pushed, it’s likely that these will be tested as hacker communities monitor core security updates for scripts such as WordPress like a hawk, as they know that not everyone will update immediately.
If you’ve got any questions/concerns or need help upgrading, please do get in touch.