WordPress 5.1.1 is now available for automatic upgrade or download. This new WordPress version is a security and maintenance release. The release introduces 10 fixes and enhancements, including changes designed to help hosts prepare users for the minimum PHP version bump coming in WordPress 5.2 (read more here). The release also includes security fixes that handle how comments are filtered and then later stored in the underlying MySQL-database. With a specific crafted comment, a WordPress post was vulnerable to cross-site scripting attacks (XSS). WordPress versions 5.1 and before are all affected by these security bugs, and are fixed in version 5.1.1. Updated versions of WordPress 5.0 and earlier are also available for any users who have not updated to 5.1.[…]
A new WordPress version was just release. This new version addresses a security problem with the $wpdb->prepare() function. From the release notes: WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Anthony Ferrara. As the above notes says the vulnerability might affect thousands of plugins or themes and Anthony has more technical information on his blog here. WPScans.com has been updated to check for this vulnerability.