WordPress Release: 3.5.2

TL;DR

WordPress 3.5.2 is a security and maintenance release that addresses several important security vulnerabilities and fixes numerous bugs. This update includes improved URL handling, better validation in core functions, and updated components like Akismet and TinyMCE. It's a critical security update that all WordPress site owners should install immediately to protect their websites from potential exploits.

Highlight of the Release

• Multiple security enhancements and vulnerability fixes
• Updated Akismet to version 2.5.8
• Fixed TinyMCE editor issues in WebKit browsers
• Improved URL handling and validation throughout the system
• Enhanced password and nonce validation

Migration Guide

No specific migration steps are required for this update. As this is a security and maintenance release, the update process follows the standard WordPress update procedure:

1. Back up your website files and database before updating
2. Update through the WordPress dashboard or via manual update
3. Test your website functionality after the update

No database schema changes or breaking changes were introduced that would require special migration steps.

Upgrade Recommendations

Immediate upgrade strongly recommended

WordPress 3.5.2 contains multiple security fixes that address important vulnerabilities. All WordPress site owners should update immediately to protect their websites from potential security exploits.

This is a maintenance and security release that doesn't introduce breaking changes, making it a safe update for all WordPress 3.5.x installations. The security improvements alone make this an essential update for all WordPress sites.

Bug Fixes

• Fixed URL scheme handling to treat schemes as case insensitive in esc_url()
• Fixed get_post_ancestors() to properly inspect the global $post variable when null/0 is received
• Fixed gallery insertion to respect the "link to" setting
• Fixed context for get_post() in the deprecated wp_get_single_post() function
• Corrected option name when deleting embed_autourls
• Fixed fallback to non-translated strings in _doing_it_wrong() when translation function doesn't exist
• Fixed fatal error in WP_User_Query
• Removed screen reader shortcut 'Log Out' link in the toolbar when user is not logged in
• Fixed variable order in add_query_arg() which broke some URL situations
• Fixed storage of illegal_names and added an upgrade routine to fix bad values
• Fixed backspace and line break issues in TinyMCE editor for WebKit browsers
• Enhanced wpdb::flush() to reset more variables
• Fixed hooks in edit-form-advanced.php to properly pass $post parameter

New Features

WordPress 3.5.2 is primarily a security and maintenance release, focusing on fixing vulnerabilities and bugs rather than introducing new features. The update includes:

• Updated Akismet plugin to version 2.5.8
• Updated TinyMCE media plugin with latest moxieplayer.swf
• Updated SWFUpload binary for security improvements

Security Updates

• Added strict validation checks to wp_verify_nonce() to prevent improper usage
• Enhanced password hash validation in phpass's CheckPassword() method
• Improved validation of post password hashes
• Updated SWFUpload binary to address security concerns
• Added better sanity checks in oEmbed XML handling
• Improved HTML escaping in the plugin/theme upgrader
• Enhanced validation of URLs used in core HTTP requests
• Updated TinyMCE media plugin's moxieplayer.swf to latest version
• Implemented better capability checks in _wp_translate_post_data()
• Improved URL handling and validation throughout the system
• Funneled all redirect requests through WP_HTTP::request() via wp_remote_request() for better security

Performance Improvements

This release doesn't include significant performance improvements as it's primarily focused on security enhancements and bug fixes. However, some of the fixes may indirectly improve performance by:

• Improving database handling through better wpdb::flush() implementation
• Enhancing HTTP request handling and validation
• Updating components to their latest versions which may include performance optimizations

Impact Summary

WordPress 3.5.2 is a critical security release that addresses multiple vulnerabilities and fixes several bugs. The update significantly improves the security posture of WordPress installations by enhancing validation in core functions like wp_verify_nonce(), password handling, and URL processing.

The release also fixes several user-facing issues, including problems with the TinyMCE editor in WebKit browsers, gallery insertion settings, and accessibility improvements for screen readers. Developers will benefit from fixes to several core functions and improved error handling.

While this update doesn't introduce new features, it's an essential security update that all WordPress site owners should install immediately. The security enhancements protect against potential exploits, and the bug fixes improve overall stability and functionality.