WordPress Release: 5.1.16

TL;DR

WordPress 5.1.16 is a maintenance and security release that addresses several important issues. It includes security fixes for CSRF vulnerabilities in media attachment thumbnails and improves embed code validation. The release also enhances internationalization support with new strings for end-of-life updates and introduces locale sanitization. Additionally, it updates GitHub Actions workflows to ensure continued functionality and improves test tools by removing external dependencies.

Highlight of the Release

• Security fixes for CSRF vulnerabilities in media attachment thumbnails
• Improved protocol validation for WordPress Embed code
• New sanitization function for locales
• Added new translatable strings for end-of-life updates
• Refactored HTTP redirect handling tests to remove external dependencies

Migration Guide

This release contains primarily security fixes and maintenance improvements that don't require specific migration steps. However, developers should note:

• If you've built custom code that interacts with WordPress's HTTP redirect handling, be aware that the internal testing methodology has changed, though the functionality remains the same.

• If you're using GitHub Actions for WordPress plugin or theme development based on WordPress's workflows, you may want to update your workflows to address the same deprecated notices that were fixed in this release.

Upgrade Recommendations

Immediate upgrade recommended for all installations.

This release contains important security fixes that protect your site from potential vulnerabilities. All WordPress site owners should update to version 5.1.16 as soon as possible to ensure their sites remain secure.

For sites on managed WordPress hosting, many providers will automatically update to this version. However, it's always good practice to verify your WordPress version after security releases.

Bug Fixes

• HTTP Redirect Handling: Refactored and reenabled an existing test for WP_HTTP::handle_redirects() to call the method directly with a mocked array of HTTP headers containing multiple location headers, removing wordpress.org as an external dependency.

• Block Editor: Ensured block comments are of a valid form, preventing potential issues with malformed comments.

• GitHub Actions Workflows: Fixed deprecated notices related to save-output and set-output to ensure workflows continue to run after these features are removed.

New Features

• End-of-Life Update Notifications: Added new translatable strings in about.php for use when releasing the final version of WordPress on a particular branch, improving communication about version support lifecycle.

• Locale Sanitization: Introduced a new sanitization function for locales to enhance security and ensure proper formatting of locale strings throughout the system.

Security Updates

• Media Attachment Thumbnails: Fixed a CSRF vulnerability in the process of setting attachment thumbnails, ensuring that only authorized users can modify media attachments.

• WordPress Embed Code: Added protocol validation for WordPress Embed code to prevent potential security issues with malicious embed sources.

• Block Comments: Improved validation to ensure block comments are of a valid form, preventing potential security issues with malformed comments.

Performance Improvements

• GitHub Actions Workflows: Added support for automatically retrying a failed workflow once, reducing manual intervention needed for transient CI failures.

• Docker Environment: Backported Docker environment related tooling updates for improved consistency and reliability across branches.

Impact Summary

WordPress 5.1.16 is primarily a security and maintenance release that addresses several important vulnerabilities and improves the stability of the platform. The security fixes for CSRF in media attachments and improved embed code validation are particularly important for all WordPress installations.

The release also includes improvements to internationalization support with new strings for end-of-life updates and a new locale sanitization function. These changes enhance WordPress's ability to communicate important lifecycle information to users in their preferred language.

For developers, the refactored HTTP redirect handling tests and updated GitHub Actions workflows provide more reliable testing infrastructure. While these changes don't affect end users directly, they contribute to the overall stability and maintainability of the WordPress codebase.

Overall, this release demonstrates WordPress's ongoing commitment to security and maintaining compatibility with modern development practices, even in older supported branches.