Another month of updates here, nothing really major on the WordPress core has been done in a few months, however a number of patch releases have been made to the core for security reasons. We have applied these patches to all older WordPress version in the V4.x range and also newer versions in the V5.x range. All security updates have been made throughout september.

  • Props to Simon Scannell of RIPS Technologies for finding and disclosing two issues. The first, a cross-site scripting (XSS) vulnerability found in post previews by contributors. The second was a cross-site scripting vulnerability in stored comments.
  • Props to Tim Coen for disclosing an issue where validation and sanitization of a URL could lead to an open redirect.
  • Props to Anshul Jain for disclosing reflected cross-site scripting during media uploads.
  • Props to Zhouyuan Yang of Fortinet’s FortiGuard Labs who disclosed a vulnerability that for cross-site scripting (XSS) in shortcode previews.
  • Props to Ian Dunn of the Core Security Team for finding and disclosing a case where reflected cross-site scripting could be found in the dashboard.
  • Props to Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting (XSS) attacks.
  • In addition to the above changes, we are also updating jQuery on older versions of WordPress. This change was added in 5.2.1 and is now being brought to older versions.

WordPress forms V2.4.14.1

  • Added entry notes with the sending result as part of the notification sending process.
  • API: Fixed inactive notifications not being sent when using the v2 POST /entries/[ENTRY_ID]/notifications endpoint with the _notifications arg.

WordPress SEO V12.1:

  • Updates the desktop snippet preview to match Google’s new font sizes.
  • Introduces the usage of the site’s favicon in the mobile snippet preview.
  • Adds a collapsible around the hidden problems and notifications on the Yoast dashboard.
  • Adds a filter wpseo_schema_organization_social_profiles that allows filtering an organization’s social profiles in the schema output.
  • Adds a filter wpseo_schema_company_name that allows filtering the company name in the schema output.
  • Adds a filter wpseo_free_schema_company_logo_id that allows filtering the company logo in the schema output.
  • Adds a filter wpseo_sitemap_exclude_empty_terms_taxonomy to control hiding empty terms per taxonomy.
  • Adds a filter wpseo_enable_structured_data_blocks to allow disabling Yoast’s structured data block editor blocks.
  • Adds a get_robots method to retrieve the robot HTML without it being output.
  • Improves the input validation on the settings pages.
  • Improves the consistency of the plugin icons.
  • Improves the How-to and FAQ blocks styling for better compatibility with latest version of the WordPress blocks editor.

Gallery V3.2.18

  • Fixed: Ability to sort images by random
  • Fixed: Large images failed to upload on WP Engine
  • Fixed: Plupload translations not working

WordPress Events Calendar V4.9.9

  • Fix – Set the start date with the current day for the “All” events page for recurring events. Thanks Andy, leapness and others for flagging this! [130350]
  • Tweak – Updated Freemius integration code [133148]
  • Tweak – Conform iCalendar feed to specifications by not putting quotes around the timezone ID. This fixes some custom parsers [133626]
  • Language – 0 new strings added, 16 updated, 0 fuzzied, and 1 obsoleted

Friday, October 4, 2019

« Back