WordPress 4.2.20 Vulnerabilities

Version released on 2018-04-03
Changelog
Download tar
Download zip

2019-12-13	WordPress <= 5.3 - Improper Access Controls in REST API	fixed in version 4.2.26
2019-12-13	WordPress <= 5.3 - Stored XSS via Crafted Links	fixed in version 4.2.26
2019-12-13	WordPress <= 5.3 - Stored XSS via Block Editor Content	fixed in version 4.2.26
2019-12-13	WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass	fixed in version 4.2.26
2019-10-14	WordPress <= 5.2.3 - Stored XSS in Customizer	fixed in version 4.2.25
2019-10-14	WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts	fixed in version 4.2.25
2019-10-14	WordPress <= 5.2.3 - Stored XSS in Style Tags	fixed in version 4.2.25
2019-10-14	WordPress <= 5.2.3 - JSON Request Cache Poisoning	fixed in version 4.2.25
2019-10-14	WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation	fixed in version 4.2.25
2019-10-14	WordPress <= 5.2.3 - Admin Referrer Validation	fixed in version 4.2.25
2019-09-05	WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation	fixed in version 4.2.24
2019-03-13	WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS)	fixed in version 4.2.23
2019-02-19	WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution	fixed in version 5.0.1
2018-12-13	WordPress <= 5.0 - Authenticated File Delete	fixed in version 4.2.22
2018-12-13	WordPress <= 5.0 - Authenticated Post Type Bypass	fixed in version 4.2.22
2018-12-13	WordPress <= 5.0 - PHP Object Injection via Meta Data	fixed in version 4.2.22
2018-12-13	WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)	fixed in version 4.2.22
2018-12-13	WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins	fixed in version 4.2.22
2018-12-13	WordPress <= 5.0 - User Activation Screen Search Engine Indexing	fixed in version 4.2.22
2018-12-13	WordPress <= 5.0 - File Upload to XSS on Apache Web Servers	fixed in version 4.2.22
2018-06-27	WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion	fixed in version 4.2.21