A stored XSS vulnerability exists in the Envira Photo Gallery plugin through 1.7.6 for WordPress. Successful exploitation of this vulnerability would allow a authenticated low-privileged user to inject arbitrary JavaScript code that is viewed by other users.

*   Details
*   Reviews
*   Installation
*   Development

**Gallery Plugin**

**Helpful Links:**

*   Gallery Demo
*   Gallery Documentation
*   Gallery Support

We believe that you shouldn’t have to hire a developer to create a WordPress gallery. That’s why we built Envira, a drag & drop **photo gallery plugin** that’s both EASY, FAST and POWERFUL.

Envira is highly optimized for web and server performance because we understand the importance of speed when it comes to SEO and conversion.

Works great with the top page builders including: Elementor, Beaver Builder, Divi and more.

> **Envira Pro**  
> Photo Gallery by Envira is the lite version of the popular Envira Pro plugin that comes with all the features you will ever need including albums, tags, social media integration, gallery templates / gallery layouts, deeplinking, pagination, e-commerce, image proofing, and tons more. Click here to purchase Envira Pro now!

**Envira** has been downloaded over 3,000,000 times. Here’s why smart photographers, designers, and developers love Envira, and you will too!

**Drag & Drop Gallery Builder**

We were tired with the bloated and buggy gallery widgets. That’s why we built Envira to adapt to your workflow and allow you to create in minutes. By using our easy to use drag and drop builder, you can upload your photos, rearrange them, and basically create an image gallery in 5 minutes or less.

You can also add gallery blocks built for the new WordPress 5.0 Gutenberg block editor.

> The trick to making difficult things easy is to keep the easy things still easy. **Envira makes everything easy.** If you’ve struggled with WordPress gallery plugins that take video tutorials to learn, you’re going to love Envira.  
> Chris Lema – WordPress Blogger and Speaker

**Mobile Ready, SEO Friendly and Optimized for Speed**

Envira is 100% responsive and mobile-friendly by default. We optimized every query on the front-end and the back-end to ensure maximum speed.

Plus, you have the ability for meta data, deeplinks, standalone galleries, and pagination.

**Sharing and Selling Photos Made EASY**

Social media integrations, image proofing, and WooCommerce store integration.

> Not only is Envira **exceptionally well built** behind the scenes, it’s also exceptionally easy to use. It’s perfect for those who really want to get things done.  
> Pippin Williamson – WordPress Core Contributor and founder of EasyDigitalDownloads

**Easy to Customize and Extend**

You can easily customize with our built-in WordPress templates and layouts or create your own.

But we also knew that our developer friends may want to extend it further. That’s why Envira comes with tons of hooks and filters (and yes it’s all very-well documented).

> Most WordPress gallery options are either too basic or require a PhD to figure out. For my clients, I need something that is easy to use yet powerful. Envira is the answer. Its straight forward approach means it is a breeze for my clients to quickly create galleries. Nevertheless, with the API and documentation available, it also allows developers to make customizations and extend functionality when necessary. Simply put, **Envira is a great tool** for everyone’s tool chest.  
> Jared Atchison – Top Notch Engineer and WordPress Developer

**Full Envira Feature List**

*   Guttenberg Blocks for WordPress 5.0
*   Drag & Drop Photo Gallery Builder
*   100% Responsive – Mobile Friendly
*   Beautiful Layouts / Templates for Customization
*   Albums – Easily organize your photo galleries, choose cover photos, and more.
*   Social Sharing – Share your photos on Facebook, Twitter, Pinterest, and Google+
*   Video Galleries – Not just for photos! You can add YouTube, Vimeo, Wistia, and other videos in your video gallery.
*   Watermarking – Protect your images from theft with watermarking.
*   Slideshow – Add beautiful slideshow with autoplay, manual controls, and more.
*   Deeplinking – Make your gallery and images SEO friendly and easily link to individual images with deeplinking.
*   Pagination – Split your large galleries into multiple pages to improve page speed, user experience, and pageviews.
*   Elementor – Quickly and easily create, edit, and sync your image and video galleries directly inside the Elementor page builder.
*   Image Proofing – We made client image proofing easy for your photography business.
*   WooCommerce Integration – Instantly display and sell your photos with the most popular eCommerce software on the web.
*   Image Tags – Organize your WordPress photos with tags for easy search and display that also filtrable.
*   Password Protection – Prevent unauthorized access to your WordPress galleries.
*   Standalone Galleries – Create independent galleries that are not tied to your posts or pages.
*   EXIF Meta Data – Display your EXIF data including camera model, aperture, shutter speed, and more.
*   Pinterest – Add the Pinterest Pin It button to improve your reach.
*   Instagram – Import Instagram images.
*   FullScreen Display – Take advantage of the native fullscreen and Lightbox display.
*   Supersized Images – Don’t want to crop or resize your images? Supersize allows you to do just that.
*   Dynamic Galleries – Easily create galleries on the fly from various different sources.
*   Gallery Defaults – Speed up the creation process by saving your default settings.
*   CSS Styles – Customize your portfolio by adding custom CSS and styles.
*   Adobe Lightroom to WordPress – Do you love Adobe Lightroom? We do too. You can automatically create and sync photo galleries from your Adobe Lightroom Collections. We made Lightroom to WordPress import easy!
*   Zip Importer – Nobody likes uploading images individually. Now you can build a gallery from a .zip file.
*   Dropbox Importer – You can easily import photos from your Dropbox account.
*   NextGen Importer – Not a fan of NextGen? You can import your files in few simple clicks.
*   Auto Image Compression – Reduce the file size of your images and make your site run fast.
*   Want us to add something else? Suggest a feature and we’ll get it added!

> When it comes to WordPress gallery plugins, **Envira has no equal**. Solid enough to do the job right, while flexible enough to handle any situation you can throw at it.  
> Andrew Norcross – Expert WordPress Consultant and Core Contributer

**Demos**

While Envira offers tons of features, below are some of the most requested demos.

*   WordPress Lightbox Photo Display Demo
*   WordPress Masonry Display Demo
*   WordPress Photo Albums Demo
*   WordPress Polaroid Photo Display Demo
*   WordPress Video Display Demo
*   See the full list of Envira Demos

**Popular Envira Tutorials**

We share tons of photography tutorials at the Envira blog.

Below are some of the most popular Envira tutorials:

*   How to Add a Polaroid Gallery in WordPress
*   How to Create a Masonry Image Gallery in WordPress
*   How to Create a Photo Album in WordPress
*   How to Create an Image Slider for Your WordPress Galleries
*   How to Add Pagination in WordPress Image Galleries

**Credits****What’s Next**

If you like this plugin, then consider checking out our other plugins:

*   Soliloquy – The Best WordPress Slider Plugin
*   WP-PDF Embedder – The Best WordPress PDF Embedding Plugin

1.  Install Envira Lite either via the WordPress.org plugin repository or by uploading the files to your server. (See instructions on how to install a WordPress plugin)
2.  Activate Envira Lite.
3.  Navigate to the Envira tab at the bottom of your admin menu and click the “Add New” button to begin creating, or you can create directly inside the post/page/custom post type of your choice.
4.  Salivate for new features and purchase the full version of Envira!

**Who should use Envira?**

Envira is perfect for photographers, designers, bloggers, and small businesses.

**Do I need to have coding skills to use Envira?**

Absolutely not. You can create and customize beautiful image and video galleries without any coding knowledge. We made it super easy.

**What kind of galleries can I create with Envira Gallery?**

Here are the types of galleries you can create:

Photo / Image  
Video Gallery  
Fullscreen  
Image Gallery with Albums  
Image Gallery with Lightbox  
Featured Content  
Masonry Photo  
Justified Image  
Image Gallery with Pagination  
Polaroid Image  
Instagram Photo Gallery  
Image Gallery with Tags  
Pinterest Image Gallery  
Photo Gallery with EXIF Data  
Image Gallery with Watermarks  
Photo Gallery with Slideshow  
Image Gallery with Zoom  
Photo Gallery with Proofing  
Lazyload  
WooCommerce Product  
Image Gallery with Lightroom Photos  
Password Protected Photo  
Dropbox Images  
Image from Zip Files  
Photos with Breadcrumb Navigation  
Custom Post Type Content  
YouTube Video  
Vimeo Video  
Wistia Video  
Twitch.tv Video  
Custom Video  
Dynamic Photos  
Portfolio  
Tiles  
Grid  
Music Gallery

**I’d like access to all features. How can I get them?**

You can get access to more features, Addons and support by visiting the Envira website and purchasing a support license. Purchasing a support license gets you access to the full version of Envira, automatic updates and support, and depending on the level of support license, you can even get exclusive access to Envira Addons!

**Is Envira translation ready?**

Yes, Envira has full translation and localization support via the envira-gallery textdomain. To submit a translation, see https://translate.wordpress.org/projects/wp-plugins/envira-gallery-lite

Easy to use and the customers love it.

Unfortunately, the "Load more" button no longer works and for about 6 weeks we have been waiting for a solution from support. We use Envira in the pay variant.

This is the fastest, easiest to use WordPress image gallery plugin.

easy to use - works great!thanks for that

So many of the blocks I use are not optimized for SEO. This is one of the few that actually brings out the title and alt tags.

Read all 1,500 reviews

“Gallery Plugin for WordPress – Envira Photo Gallery” is open source software. The following people have contributed to this plugin.

Contributors

1.8.6.1

*   Fixed: depricated usort callback

1.8.6

*   Fixed: php 8 compatibility

1.8.5.3

*   Fixed: Links not opening in new window

1.8.5.2

*   Fixed: Undefined function enviratope on mason layouts.

1.8.5.1

*   Fixed: incorrect variable name.

1.8.5

*   Fixed: Improve sanitization.
*   Fixed: Remove legacy code.
*   Fixed: Replace local scripts with WordPress core scripts

1.8.4.7

*   Fixed: Improve admin sanitization.

1.8.4.6

*   Fixed: Javascript warnings when adding a gallery in the block editor.

1.8.4.5

*   Fixed: Tweaked icon spacing and placement in image editor blocks.

1.8.4.4

*   Fixed: Issue involving not being able to edit caption or title in the block editor for individual images in a gallery in certain layouts.

1.8.4.3

*   Fixed: Issue involving fatal error when empying a gallery from the trash.

1.8.4.2

*   Fixed: Corrected text box type and visual look of subscription form signup modal.

1.8.4.1

*   Fixed: Resolved fatal error upon checking for active plugins upon loading.

1.8.4.0

*   Fixed: Issue involving margin resets in block editor.
*   Fixed: Issue involving margin resets in block editor.
*   Fixed: Issue involving gallery button with Classic Editor.
*   Fixed: Resolved conflict with Enhanced Media Replace Pro.
*   Fixed: PHP 8.x and related notices and warnings.

1.8.3.9

*   Updated: Images

1.8.3.8

*   Updated: Getting Started area – new tab and updated CSS.

1.8.3.7

*   Fixed: Issue regarding lightbox and uploaded WebP images.

1.8.3.6

*   Updated: Removed Additional Marketing Copy
*   Added: WebP Support

1.8.3.5

*   Updated: Expired Marketing Offer

1.8.3.4

*   Updated: Promotional messages.
*   Fixed: PHP 8 related notices.

1.8.3.3

*   Fixed: Improving metadata sanitization.

1.8.3.2

*   Fixed: Lightbox Bug with WordPress 5.6.0

1.8.3.1

*   Added: Lifetime option notice.

1.8.3

*   Updated: Recent News On Welcome Screen.
*   Updated: Links On What’s New Screen.

1.8.2

*   Added: Most Popular sort in Addons screen.
*   Updated: Recent News On Welcome Screen.
*   Updated: Links On What’s New Screen.

1.8.1.0

*   Added: envira\_gallery\_output\_item\_src\_retina filter.
*   Added: envira\_gallery\_title\_display filter.
*   Added: filters for aspectRatio, loop, lightbox openclose effect, and more for Fancybox settings.
*   Updated: Subscription number.
*   Updated: Remove references to Facebook Video.

1.8.0.3

*   Fix: Tweak UI for upcoming WordPress 5.5 admin visual changes.
*   Fix: Removed outdated URL from translation files.

1.8.0.2

*   Removed: Legacy style related to Gutenberg.

1.8.0.1

*   Removed: Redirect upon updating.

1.8.0

*   Added: Enable links in lightbox settings, when lightbox is deactivated.

CVE-2020-9334: Gallery Plugin for WordPress – Envira Photo Gallery

The Elementor plugin before 2.8.5 for WordPress suffers from a reflected XSS vulnerability on the elementor-system-info page. These can be exploited by targeting an authenticated user.

CVE-2020-8426

The LearnDash LMS plugin before 3.1.2 for WordPress allows XSS via the ld-profile search field.

While performing a security audit on one of our client’s website, I discovered a reflected cross-site scripting vulnerability in the WordPress LMS plugin by LearnDash. All WordPress websites using LearnDash version from 3.0.0 through 3.1.1 are affected.

**CVE ID:** CVE-2020-7108  
**CWE ID:** CWE-79

****Summary****

LearnDash is one of the most popular and easiest to use WordPress LMS plugins in the market. It allows users to easily create courses and sell them online and boasts a large customer base. The XSS vulnerability in LearnDash can be exploited by attackers against authenticated users to perform malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.

**Vulnerability**

Once the user is logged in to the WordPress website where the vulnerable LearnDash plugin is installed, the XSS payload can be inserted into the **Search Your Courses** box. The payload gets executed because the user input is not properly validated.

As a result, passing the XSS payload as a query string in the URL will also execute the payload.

[wordpress website][learndash my-account page]?ld-profile-search=%3Cscript%3Ealert(document.cookie)%3C/script%3E

An attacker can modify the above URL and use an advanced payload that could help him/her in performing malicious actions.

****Timeline****

Vulnerability reported to the LearnDash team – January 14, 2020  
LearnDash version 3.1.2 containing the fix to the vulnerability was released on the same day.

****Recommendation****

It is highly recommended to update the plugin to the latest version. If you are using the Astra Security Suite, you are protected against this vulnerability.

For best security practices, you can follow the below guides:

*   WordPress Security Guide
*   WordPress Hack and Malware Removal

**Reference**

WPVulnDB  
CVE MITRE

**Jinson Varghese**

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.

CVE-2020-7108: LearnDash Plugin Vulnerable To Reflected XSS: Update Immediately

The TablePress plugin 1.9.2 for WordPress allows tablepress[data] CSV injection by Editor users.

**CSV Injection**, also known as **Formula Injection**, occurs when websites embed untrusted input inside **CSV** files. When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a **CSV**, any cells starting with ‘=’ will be interpreted by the software as a **formula**

👨🏼‍💻Discovered by **Pablo Santiago.**

📝Published **02/01/2020.**

💉**CVE-2019–20180**

🔗**Vulnerable Version Download**

📄**Vulnerable version ≤ 1.9.2**

✅**Solution: Update to version 1.10**

****Mitigation CSV Injection****

Ensure that no cells begin with any of the following characters:

*   Equals to (“=”)
*   Plus (“+”)
*   Minus (“-”)
*   At (“@”)

****Attack Vector / Criticality — Medium****

Through CSV injection vulnerability a malicious user can force other user to execute code in his machine, for example this can be used for spread malware..

**Paremeters / Vulnerable Resources**

As shows the next image the parameter vulnerable is tablepress\[data\].

****PoC****

AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N

CVE-2019-20180: CVE-2019–20180 TABLEPRESS — 1.9.2- CSV Injection - 0xPablito - Medium

A flaw in Give before 2.5.5, a WordPress plugin, allowed unauthenticated users to bypass API authentication methods and access personally identifiable user information (PII) including names, addresses, IP addresses, and email addresses. Once an API key has been set to any meta key value from the wp_usermeta table, and the token is set to the corresponding MD5 hash of the meta key selected, one can make a request to the restricted endpoints, and thus access sensitive donor data.

**Description**: Authentication Bypass with Information Disclosure  
**CVSS v3.0 Score**: 7.5 (High)  
**CVSS Vector String:** CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N  
**Affected Plugin:** GiveWP  
**Plugin Slug:** give  
**Affected Versions:** <= 2.5.4  
**Patched Version:** 2.5.5

A few weeks ago, our Threat Intelligence team discovered a vulnerability present in GiveWP, a WordPress plugin installed on over 70,000 websites. The weakness allowed unauthenticated users to bypass API authentication methods and potentially access personally identifiable user information (PII) like names, addresses, IP addresses, and email addresses which should not be publicly accessible. 

We privately disclosed the issue to the plugin’s developer on September 3rd, who were quick to respond and released a patch shortly after. Wordfence Premium customers received a new firewall rule on September 4th to protect against exploits targeting this vulnerability. Free Wordfence users will receive the rule after thirty days.

This is considered a high security issue, and **websites running Give 2.5.4 or below should be updated to version 2.5.5 or later right away.**

**Vulnerability In Detail**

GiveWP provides users with an API functionality in order to integrate donation data into webpages and applications like Zapier. Site owners are able to generate a unique API key along with a token and private key that can be used to access restricted endpoints and gain access to donation data. However, it turned out that if no API key was generated, any user was able to access restricted endpoints by simply selecting any meta key from the wp_usermeta table and setting that as the authentication key. For instance, the nickname or session_tokens meta key (which are defined for all users) could have been supplied instead of a valid API key. There is also an authentication token that is used to validate this API request, however, for users that have not generated an API key, the authentication token is simply just the MD5 hash of the meta key that is used in place of a valid API key.

The API key validation method can be found in the validate_request() method seen below.

private function validate\_request() {
		global $wp\_query;

		$this->override = false;

		// Make sure we have both user and api key
		if ( ! empty( $wp\_query->query\_vars\['give-api'\] ) && ( $wp\_query->query\_vars\['give-api'\] !== 'forms' || ! empty( $wp\_query->query\_vars\['token'\] ) ) ) {

			if ( empty( $wp\_query->query\_vars\['token'\] ) || empty( $wp\_query->query\_vars\['key'\] ) ) {
				$this->missing\_auth();

				return false;
			}

			// Retrieve the user by public API key and ensure they exist
			if ( ! ( $user = $this->get\_user( $wp\_query->query\_vars\['key'\] ) ) ) {

				$this->invalid\_key();

				return false;

			} else {

				$token  = urldecode( $wp\_query->query\_vars\['token'\] );
				$secret = $this->get\_user\_secret\_key( $user );
				$public = urldecode( $wp\_query->query\_vars\['key'\] );

				if ( hash\_equals( md5( $secret . $public ), $token ) ) {
					$this->is\_valid\_request = true;
				} else {
					$this->invalid\_auth();

					return false;
				}

			}
		} elseif ( ! empty( $wp\_query->query\_vars\['give-api'\] ) && $wp\_query->query\_vars\['give-api'\] === 'forms' ) {
			$this->is\_valid\_request = true;
			$wp\_query->set( 'key', 'public' );
		}
	}

The first check verifies if there is a valid user and API key, if there is no token or API key set then the request is automatically denied from moving further. If we have both the token and key set, we can then move on to retrieving the user by the public API key that was set and this is where we find our first major problem.

We then get to the get_user() method that does a check based on the API key that was provided. Unfortunately, in this check it doesn’t verify if the key was one generated by the Give API, but rather just fetches the user_id for any meta key in the wp_usermeta table, so if we pass in nickname or session_tokens as our meta key we’ll get back a valid user.

	public function get\_user( $key = '' ) {
		global $wpdb, $wp\_query;

		if ( empty( $key ) ) {
			$key = urldecode( $wp\_query->query\_vars\['key'\] );
		}

		if ( empty( $key ) ) {
			return false;
		}

		$user = Give\_Cache::get( md5( 'give\_api\_user\_' . $key ), true );

		if ( false === $user ) {
			$user = $wpdb->get\_var( $wpdb->prepare( "SELECT user\_id FROM $wpdb->usermeta WHERE meta\_key = %s LIMIT 1", $key ) );
			Give\_Cache::set( md5( 'give\_api\_user\_' . $key ), $user, DAY\_IN\_SECONDS, true );
		}

		if ( $user != null ) {
			$this->user\_id = $user;

			return $user;
		}

		return false;
	}

The next check is to verify a “signature” of the user’s API key which is the MD5 hash of a secret key concatenated with the supplied API key. The secret key is normally defined when an API key is created for a given user. For user’s that have not generated an API key, the secret is an empty value, so a valid signature can be forged using just the MD5 value of the meta key that we’ve passed in instead of a valid API key.

	$token  = urldecode( $wp\_query->query\_vars\['token'\] );
				$secret = $this->get\_user\_secret\_key( $user );
				$public = urldecode( $wp\_query->query\_vars\['key'\] );

				if ( hash\_equals( md5( $secret . $public ), $token ) ) {
					$this->is\_valid\_request = true;

**Taking a Look at the Exploit**

Once the key has been set to any meta key value from the wp_usermeta table, and the token is set to the corresponding MD5 hash of the meta key selected, you can make a request to the restricted endpoints accessing sensitive donor data. In this example, we used the meta\_key session_tokens and the MD5 hash of the string session_tokens which is ea78b7d35ff75719b36056cfa14ddcc8.

Personally Identifiable Information displayed when accessing vulnerable “donations” endpoint from GiveWP plugin.

As you can see, information in these endpoints can contain PII like names, addresses, IP addresses, and email addresses which should not be publicly accessible.

**Disclosure Timeline**

**September 3rd** – Plugin developer notified of the security issue  
**September 4th** – Firewall rule released to Wordfence Premium users  
**September 20th** – Patch released  
**October 4th** – Firewall rule becomes available to free users

**Conclusion**

In today’s post, we detailed an authentication bypass flaw present in the GiveWP plugin. This flaw has been patched in version 2.5.5 and we recommend users update to the latest version available. Sites running Wordfence Premium have been protected from attacks against this vulnerability since September 4th, 2019. Sites running the free version of Wordfence will receive the firewall rule update on October 4th, 2019.

_Thank you to the plugin’s team at GiveWP, for their extremely prompt response and cooperation to get a fix out quickly, and to Matt Barry, Wordfence’s Lead Developer, for his assistance in researching this vulnerability._

CVE-2019-20360: Authentication Bypass Vulnerability in GiveWP Plugin

There was a flaw in the WordPress plugin, Email Subscribers & Newsletters before 4.3.1, that allowed SQL statements to be passed to the database in the hash parameter (a blind SQL injection vulnerability).

CVE-2019-20361

The Postie plugin 1.9.40 for WordPress allows XSS, as demonstrated by a certain payload with jaVasCript:/* at the beginning and a crafted SVG element.

CVE-2019-20204: Postie

An XSS issue was discovered in the Laborator Neon theme 2.0 for WordPress via the data/autosuggest-remote.php q parameter.

CVE-2019-20141

In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the function wp_targeted_link_rel() can be used in a particular way to result in a stored cross-site scripting (XSS) vulnerability. This has been patched in WordPress 5.3.1, along with all the previous WordPress versions from 3.7 to 5.3 via a minor release.

CVE-2019-20042

wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 mishandles the HTML5 colon named entity, allowing attackers to bypass input sanitization, as demonstrated by the javascript&colon; substring.

WordPress 5.3.1 is now available!

This security and maintenance release features 46 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.

WordPress 5.3.1 is a short-cycle maintenance release. The next major release will be version 5.4.

You can download WordPress 5.3.1 by clicking the button at the top of this page, or visit your **Dashboard → Updates** and click **Update Now**.

If you have sites that support automatic background updates, they’ve already started the update process.

**Security updates**

Four security issues affect WordPress versions 5.3 and earlier; version 5.3.1 fixes them, so you’ll want to upgrade. If you haven’t yet updated to 5.3, there are also updated versions of 5.2 and earlier that fix the security issues.

*   Props to Daniel Bachhuber for finding an issue where an unprivileged user could make a post sticky via the REST API.
*   Props to Simon Scannell of RIPS Technologies for finding and disclosing an issue where cross-site scripting (XSS) could be stored in well-crafted links.
*   Props to the WordPress.org Security Team for hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute.
*   Props to Nguyen The Duc for discovering a stored XSS vulnerability using block editor content.

**Maintenance updates**

Here are a few of the highlights:

*   Administration: improvements to admin form controls height and alignment standardization (see related dev note), dashboard widget links accessibility and alternate color scheme readability issues (see related dev note).
*   Block editor: fix Edge scrolling issues and intermittent JavaScript issues.
*   Bundled themes: add customizer option to show/hide author bio, replace JS based smooth scroll with CSS (see related dev note) and fix Instagram embed CSS.
*   Date/time: improve non-GMT dates calculation, fix date format output in specific languages and make get_permalink() more resilient against PHP timezone changes.
*   Embeds: remove CollegeHumor oEmbed provider as the service doesn’t exist anymore.
*   External libraries: update sodium_compat.
*   Site health: allow the remind interval for the admin email verification to be filtered.
*   Uploads: avoid thumbnails overwriting other uploads when filename matches, and exclude PNG images from scaling after upload.
*   Users: ensure administration email verification uses the user’s locale instead of the site locale.

For more information, browse the full list of changes on Trac or check out the version 5.3.1 HelpHub documentation page.

**Thanks!**

In addition to the security researchers mentioned above, thank you to everyone who contributed to WordPress 5.3.1:

123host, acosmin, Adam Silverstein, Albert Juhé Lluveras, Alex Concha, Alex Mills, Anantajit JG, Anders Norén, andraganescu, Andrea Fercia, Andrew Duthie, Andrew Ozz, Andrey “Rarst” Savchenko, aravindajith, archon810, Ate Up With Motor, Ayesh Karunaratne, Birgir Erlendsson (birgire), Boga86, Boone Gorges, Carolina Nymark, Chetan Prajapati, Csaba (LittleBigThings), Dademaru, Daniel Bachhuber, Daniele Scasciafratte, Daniel Richards, David Baumwald, David Herrera, Dion hulse, ehtis, Ella van Durpe, epiqueras, Fabian, Felix Arntz, flaviozavan, Garrett Hyder, Glenn, Grzegorz (Greg) Ziółkowski, Grzegorz.Janoszka, Hareesh Pillai, Ian Belanger, ispreview, Jake Spurlock, James Huff, James Koster, Jarret, Jasper van der Meer, Jb Audras, jeichorn, Jer Clarke, Jeremy Felt, Jip Moors, Joe Hoyle, John James Jacoby, Jonathan Desrosiers, Jonny Harris, Joost de Valk, Jorge Costa, Joy, Juliette Reinders Folmer, justdaiv, Kelly Dwan, Kharis Sulistiyono, Kite, kyliesabra, lisota, lukaswaudentio, Maciej Mackowiak, marcelo2605, Marius L. J., Mat Lipe, mayanksonawat, Mel Choyce-Dwan, Michael Arestad, miette49, Miguel Fonseca, mihdan, Mike Auteri, Mikko Saari, Milan Petrovic, Mukesh Panchal, NextScripts, Nick Daugherty, Niels Lange, noyle, Ov3rfly, Paragon Initiative Enterprises, Paul Biron, Peter Wilson, Rachel Peter, Riad Benguella, Ricard Torres, Roland Murg, Ryan McCue, Ryan Welcher, SamuelFernandez, sathyapulse, Scott Taylor, scvleon, Sergey Biryukov, sergiomdgomes, SGr33n, simonjanin, smerriman, steevithak, Stephen Bernhardt, Stephen Edgar, Steve Dufresne, Subrata Mal, Sultan Nasir Uddin, Sybre Waaijer, Tammie Lister, Tanvirul Haque, Tellyworth, timon33, Timothy Jacobs, Timothée Brosille, tmatsuur, Tung Du, Veminom, vortfu, waleedt93, williampatton, wpgurudev, and Zack Tollman.

Tag

#wordpress