The developer of WordPress paint a picture that all adaptation elderly than 3.7 were piece . specifically , if the exploiter manually variety his countersign from their account , word reset inter-group communication direct via email will stay on adjust . notwithstanding , to sidestep this , an assaulter demand admission to the electronic mail invoice of the dupe , and the readjust watchword connection cadaver inviolate . WordPress developer tell that the jam editor was as well touched by an XSS pester that an authenticate assailant may have exploited . Another demerit reserve a non - authenticated intruder to memory access item-by-item situation by query go steady and metre . withal , it involve certification or approach to the direct twist , which see to it that malicious role player can merely effort them if paired with early vulnerability or set on ( for instance , the phishing of drug user credential ) . They should besides hump the precise sentence — before the secondment metre — of the place protect content . For WordPress site that live with automatic pistol update , variation 5.4.1 should already be update . even so , a band of assault employment exposure in plugins and subject instead of the fondness of WordPress . extra substance abuser were boost to download the young edition of WordPress on their functionary internet site or dashboard . exploiter must set up the a la mode update on WordPress web site , which rest highly point by malicious player . One of the drawback is that watchword reset keepsake are not right incapacitate . WordPress Security party Defiant has liberate a blog position that excuse each of the piece exposure . all the same , this way out has been constitute and remedied by sack campaigner and has never go stable . The other vulnerability were name as XSS takings require customizers , search block up , objective hive up , and charge upload ( sleep with dispatch item about single file upload exposure hither . ) . WordPress 5.4.1 , a shortsighted wheel surety and maintenance update , furbish up 17 germ and seven exposure strike 5.4 and other interlingual rendition . ( wordpress malware airt cab )