WordPress 5.0.1 fixes 7 security issues
WordPress 5.0.1 is now available. This is a secure version of all versions since WordPress 3.7. We strongly recommend that you update your website immediately. WordPress 5.0 and earlier were affected by the following issues, which were fixed in version 5.0.1. For users who have not yet updated to 5.0, they can also be updated in small versions, such as 4.9.8 can be updated to 4.9.9.
- Author roles can change metadata to delete files that they are not authorized.
- Author roles can create articles with unauthorized article types using specially crafted input.
- The Contributor role can be used to make metadata through PHP object injection.
- The Contributor role can edit new comments from higher-privileged users, which can lead to cross-site scripting vulnerabilities.
- In some cases, specially crafted URL input can lead to cross-site scripting vulnerabilities. WordPress itself is not affected, but the plugin may be affected in some cases.
- Search engines can index user activation interfaces in some less common configurations, resulting in email address exposure and, in rare cases, password generation by default.
- Authors on Apache hosting sites can upload specially crafted files that bypass MIME authentication, resulting in cross-site scripting vulnerabilities.
The developer suggested looking at this article, which involves some compatibility issues: https://make.wordpress.org/core/2018/12/13/backwards-compatibility-breaks-in-5-0-1