WordPress 5.1.1 is now available for automatic upgrade or download. This new WordPress version is a security and maintenance release. The release introduces 10 fixes and enhancements, including changes designed to help hosts prepare users for the minimum PHP version bump coming in WordPress 5.2 (read more here). The release also includes security fixes that handle how comments are filtered and then later stored in the underlying MySQL-database. With a specific crafted comment, a WordPress post was vulnerable to cross-site scripting attacks (XSS). WordPress versions 5.1 and before are all affected by these security bugs, and are fixed in version 5.1.1. Updated versions of WordPress 5.0 and earlier are also available for any users who have not updated to 5.1.[…]

WordPress 5.0.1 is now available and it is a security release for all versions since WordPress 3.7. We strongly encourage you to update all your sites immediately. Plugin authors are also encouraged to read the 5.0.1 developer notes for information on backwards-compatibility. Since some of the vulnerabilities covered in 5.0.1 might affect plugins. WordPress versions 5.0 and earlier are affected by the following bugs, which are fixed in version 5.0.1. Updated versions of WordPress 4.9 and older releases are also available, for users who have not yet updated to 5.0. Karim El Ouerghemmi discovered that authors could alter meta data to delete files that they weren’t authorized to. Simon Scannell of RIPS Technologies discovered that authors could create posts of unauthorized post types with specially crafted input.[…]