WordPress Release: 5.1.15

TL;DR

WordPress 5.1.15 Release

This maintenance and security release focuses on enhancing WordPress 5.1's security posture with multiple security fixes and improvements. The update includes important security patches for the REST API, media handling, post-by-email functionality, and more. Additionally, it introduces new strings to indicate security support status for WordPress versions, preparing users for future maintenance notifications. This release is critical for all WordPress 5.1 sites to maintain security and stability.

Highlight of the Release

• Introduction of strings to indicate security support status for WordPress versions
• Security improvements to the REST API terms endpoint
• Enhanced security for media search functionality in the admin
• Improved security for post-by-email functionality
• Better validation and sanitization across multiple WordPress components

Migration Guide

No specific migration steps are required for this update. This is a standard maintenance and security release that can be applied through the normal WordPress update process.

To update:

1. Back up your WordPress site
2. Navigate to Dashboard > Updates
3. Click "Update Now"
4. Alternatively, download the release from wordpress.org and perform a manual update

As always, it's recommended to test updates on a staging environment before applying to production sites.

Upgrade Recommendations

This release contains important security fixes that address multiple vulnerabilities across different WordPress components.

Immediate upgrade is strongly recommended for all sites running WordPress 5.1.x to ensure your site remains secure against potential threats.

The security improvements in this release protect against potential vulnerabilities in the REST API, media handling, post-by-email functionality, and other core components.

This update is compatible with existing WordPress 5.1.x installations and should not cause any disruption to your site's functionality.

Bug Fixes

Media

• Refactored search by filename functionality within the admin for improved security and reliability

REST API

• Locked down post parameter of the terms endpoint to prevent potential security issues

Customizer

• Escaped blogname option in underscores templates to prevent potential XSS vulnerabilities

Query

• Added validation for relation parameter in WP_Date_Query to prevent potential issues

Posts and Post Types

• Applied KSES filtering to post-by-email content for better security
• Removed email addresses from post-by-email logs to enhance privacy

General

• Added host validation on the "Are you sure?" screen

Pings/Trackbacks

• Applied KSES filtering to all trackbacks to prevent potential XSS issues

Mail

• Fixed issue by resetting PHPMailer properties between uses to prevent potential information leakage

Widgets

• Escaped RSS error messages for display to prevent potential XSS vulnerabilities

New Features

New Support Status Indicators

• Added new translatable strings to indicate when a WordPress version is no longer receiving security updates
• Added strings to notify users when a WordPress version will shortly stop receiving security updates
• These strings are being made available to translators in preparation for future maintenance releases

Security Updates

• REST API: Locked down the post parameter of the terms endpoint to prevent potential security vulnerabilities
• Media: Improved security in the admin media search functionality
• Customizer: Enhanced security by properly escaping the blogname option in underscores templates
• Query: Added validation for the relation parameter in WP_Date_Query to prevent potential injection attacks
• Post-by-Email: Applied KSES filtering to post-by-email content to prevent potential XSS vulnerabilities
• Post-by-Email: Removed email addresses from logs to enhance privacy and security
• Validation: Added host validation on the "Are you sure?" screen
• Trackbacks: Applied KSES filtering to all trackbacks to prevent potential XSS issues
• Mail: Fixed potential information leakage by resetting PHPMailer properties between uses
• Widgets: Prevented XSS vulnerabilities by properly escaping RSS error messages for display

Performance Improvements

No specific performance improvements were highlighted in this release. The focus was primarily on security enhancements and bug fixes.

Impact Summary

WordPress 5.1.15 is primarily a security-focused maintenance release that addresses multiple potential vulnerabilities across core WordPress components. The release introduces strings for future security support status notifications and includes important security fixes for the REST API, media handling, post-by-email functionality, and more.

The security improvements in this release are significant and touch on multiple aspects of WordPress core functionality, including:

1. Enhanced protection against XSS vulnerabilities in multiple components
2. Improved validation and sanitization across the codebase
3. Better security for the REST API endpoints
4. Enhanced privacy by removing sensitive information from logs
5. Preparation for future security support status notifications

While this release doesn't introduce major new features, the security enhancements are substantial and critical for maintaining the security posture of WordPress 5.1 installations. All site administrators should update to this version as soon as possible.