Log Message:
Maintenance and security update to version 5.2.4.

Changes:
5.2.4:

Props to Evan Ricafort for finding an issue where stored XSS (cross-site \ 
scripting) could be added via the Customizer.
Props to J.D. Grimes who found and disclosed a method of viewing unauthenticated \ 
posts.
Props to Weston Ruter for finding a way to create a stored XSS to inject \ 
Javascript into style tags.
Props to David Newman for highlighting a method to poison the cache of JSON GET \ 
requests via the Vary: Origin header.
Props to Eugene Kolodenker who found a server-side request forgery in the way \ 
that URLs are validated.
Props to Ben Bidner of the WordPress Security Team who discovered issues related \ 
to referrer validation in the admin.

5.2.3:
#38415: New Custom Link menu item has a wrong fallback label
#45739: Block Editor: $editor_styles bug.
#45935: A URL in do_block_editor_incompatible_meta_box function does not have \ 
classic-editor__forget parameter
#46757: Media Trash: The Bulk Media options when in the Trash shouldn’t \ 
provide two primary buttons
#46758: Media Trash: Primary button(s) should be on the left
#46899: Ensure that tables generated by the Settings API have no semantics
#47079: Incorrect version for excerpt_allowed_blocks filter
#47113: Media views: dismiss notice button is invisible
#47145: Feature Image dialog does not follow the dialog pattern
#47190: Twenty Seventeen: Native audio and video embeds have no focus state.
#47340: Twenty Nineteen: Revise Latest Posts block styles to support post \ 
content options.
#47386: Fix headings hierarchy in the legacy Custom Background and Custom Header \ 
pages
#47390: Improve accessibility of forms elements within some “form-table” forms
#47414: Twenty Seventeen: Button block preview has extra spacing within button
#47458: Fix tab sequence order in the Media attachment browser
#47489: Emoji are substituted in preformatted blocks
#47502: Media modal bottom toolbar cuts-off content in Internet Explorer 11
#47538: Minor Verbiage Update – Switch ‘developer time’ for ‘a developer’
#47543: Twenty Seventeen: buttons don’t change color on hover and focus
#47561: Plugin: View details popup layout issue
#47603: My account toggle on admin bar not visible at high zoom levels
#47604: Undefined variable: locked in wp-admin/edit-form-blocks.php
#47687: Use alt tags for gallery images in editor
#47688: Color hex code in color picker displayed in RTL instead of LTR on RTL \ 
install (take 2)
#47693: customizer Color picker should get closed when click on color picker area.
#47723: Adding a custom link in nav-menus.php doesn’t trim whitespace
#47758: Font sizes on installation screen are too small
#47835: PHP requirement always set to null for plugins
#47888: Adding a custom link in menu via Customize doesn’t trim whitespace.

Security Fixes
Props to Simon Scannell of RIPS Technologies for finding and disclosing two \ 
issues. The first, a cross-site scripting (XSS) vulnerability found in post \ 
previews by contributors. The second was a cross-site scripting vulnerability in \ 
stored comments.
Props to Tim Coen for disclosing an issue where validation and sanitization of a \ 
URL could lead to an open redirect.
Props to Anshul Jain for disclosing reflected cross-site scripting during media \ 
uploads.
Props to Zhouyuan Yang of Fortinet’s FortiGuard Labs who disclosed a \ 
vulnerability that for cross-site scripting (XSS) in shortcode previews.
Props to Ian Dunn of the Core Security Team for finding and disclosing a case \ 
where reflected cross-site scripting could be found in the dashboard.
Props to Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with URL \ 
sanitization that can lead to cross-site scripting (XSS) attacks.
In addition to the above changes, we are also updating jQuery on older versions \ 
of WordPress. This change was added in 5.2.1 and is now being brought to older \ 
versions.