WordPress 5.8.3 Security Release

On January 6, WordPress 5.8.3 was released. This is a security release, so you should update your sites as soon as possible. Updates have been provided for all version branches since WordPress 3.7.

WordPress 5.8.3 is a short cycle release, the next major release will be WordPress 5.9 which is already in release candidate status.

You can update to the new version in the backend Instrument panelupdates carry out. If your site supports automatic background updates, you may already have the update installed.

security updates

WordPress 3.7 to 5.8 are affected by three and four vulnerabilities respectively, so an update was released not only for the 5.8 branch, but also for all older branches up to 3.7. The following vulnerabilities have been closed:

  • XSS vulnerability caused by mail rails. Thanks to Karim El Ouerghemmi and Simon Scannell of SonarSource for the report.
  • Object injection in some multi-site installations. Thanks to Simon Scannell of SonarSource for the report.
  • SQL injection in WP_Query. Thanks to ngocnb and khuyenn from GiaoHangTietKiem JSC for working with the Trend Micro Zero Day Initiative to report the vulnerability.
  • SQL injection in WP_Meta_Query (only applies to versions 4.1-5.8). Thanks to Ben Bidner of the WordPress security team for reporting the vulnerability.

Thanks to everyone for reporting vulnerabilities responsibly. This gave the security team time to fix the problems before the vulnerabilities became public. Thanks to the security team for the WordPress fixes.

More information about the release is available on the 5.8.3 HelpHub page.

Thank you

The 5.8.3 release was led by @desrosj and @circlecube.

In addition to security researchers and release managers, thanks to everyone who made WordPress 5.8.3 possible:

Alex Concha, Dion Hulse, Dominic Schilling, ehtis, Evan Mullins, Jake Spurlock, J.b. Audras, Jonathan Derossier, Ian Dunn, Peter Wilson, Sergey Biryukov, wortfu and zieladam.