On September 9th, WordPress 5.8.1 was released. This is a security and maintenance release that closes three security holes and fixes 60 bugs. Since there is a security release is, you should update your websites immediately. There are also updates for all version branches since WordPress 5.4.
WordPress 5.8.1 is a short-cycle release, the next major release will be WordPress 5.9.
You can download WordPress 5.8.1 from WordPress.org or update an existing site from Dashboard › Updates. If your site supports automatic background updates, the new version might already be installed.
Three vulnerabilities affect WordPress versions between 5.4 and 5.8. In addition to WordPress 5.8.1, new versions were also released for the other release branches starting with WordPress 5.4, which close the security gaps.
The following issues have been fixed:
- A data exposure vulnerability in the REST API, thanks to @mdawaffe from the WordPress security team for fixing the vulnerability.
- XSS vulnerability in block editor, many thanks to Michał Bentkowski from Securitum for reporting the vulnerability.
- The Lodash library has been updated to version 4.17.21 to incorporate security fixes contained therein.
Additionally, the security team would like to thank the following people for reporting security vulnerabilities during the WordPress 5.8 beta phase so that they could be fixed prior to release:
- Evan Ricafort reported an XSS vulnerability in the block editor.
- Steve Henty reported a privilege escalation issue in the block editor.
Thank you to everyone who reported for reporting the gaps confidentially. This gave the security team time to fix the issues before WordPress sites could be attacked.
More information about the changes in WordPress 5.8.1 can be found in the list of all changes in Trac or on the 5.8.1 documentation page.
The 5.8.1 release was led by Jonathan Desrosiers and Evan Mullins.
In addition to the security researchers and the two release leads mentioned, the following developers helped make WordPress 5.8.1 possible:
2linctools, Adam Zielinski, Alain Schlesser, Alex Lende, alexstine, AlGala, André, Andrei Draganescu, Andrew Ozz, Ankit Panchal, Anthony Burchell, Anton Vlasenko, Ari Stathopoulos, Bruno Ribaric, Carolina Nymark, Daisy Olsen, Daniel Richards, Daria, David Anderson, David Biňovec, David Herrera, Dominik Schilling, Ella van Durpe, Enchiridion, Evan Mullins, Gary Jones, George Mamadashvili, Greg Ziółkowski, Héctor Prieto, ianmjones, Jb Audras, Jeff Bowen, Joe Dolson, Joen A., John Blackbourn, Jonathan Desrosiers, JuanMa Garrido, Juliette Reinders Folmer, Kai Hao, Kapil Paul, Kerry Liu, Kevin Fodness, Marcus Kazmierczak, Mark-k, Matt, Michael Adams (mdawaffe), Mike Schroder, moch11, Mukesh Panchal, Nik Tsekouras, Paal Joachim Romdahl, Pascal Birchler, Paul Bearne, Paul Biron, Peter Wilson, Petter Walbø Johnsgård, Radixweb, Rahul Mehta, ramonopoly, ravipatel, Riad Benguella, Robert Anderson, Rodrigo Arias, Sanket Chodavadiya, Sergey Biryukov, Stephen Bernhardt, Stephen Edgar, Steve Henty , t erraling, Timothy Jacobs, tmatsuur, TobiasBg, Tonya Mork, Toro_Unit (Hiroshi Urabe), Vlad T, wb1234, and WFMattR.