WordPress Release: 5.1.4

TL;DR

WordPress 5.1.4 is a security release that addresses multiple stored XSS vulnerabilities and permission issues. This update patches critical security flaws in the block editor and link handling functionality, while also fixing permission checks for making posts sticky. The release focuses primarily on security hardening rather than new features, making it an essential update for all WordPress site owners.

Highlight of the Release

• Fixed multiple stored XSS vulnerabilities in the block editor and link handling
• Improved permission validation for sticky post functionality
• Enhanced wp_kses_bad_protocol() to recognize : HTML entity in URI attributes
• Prevented escaped unicode characters from becoming unescaped in unsafe HTML during JSON decoding
• Improved PHP compatibility by using wp_list_pluck() instead of array_column()

Migration Guide

No specific migration steps are required for this security update. Simply update to WordPress 5.1.4 through your admin dashboard or via manual update.

If you're using custom code that interacts with any of the fixed functions (wp_targeted_link_rel(), wp_kses_bad_protocol(), or sticky post functionality), you may want to review your implementation to ensure it aligns with the security improvements in this release.

Upgrade Recommendations

Immediate Update Recommended

This is a security release that addresses multiple stored XSS vulnerabilities. All WordPress site owners should update to version 5.1.4 immediately to protect their sites from potential security exploits.

The security fixes in this release are critical for maintaining the integrity and security of your WordPress installation. No known compatibility issues have been reported with this update.

Bug Fixes

Permission Validation

• Fixed an issue where proper permission checks were not being performed before making a post sticky
• Ensured that users have the publish_posts capability before allowing them to mark posts as sticky

Code Compatibility

• Replaced array_column() with wp_list_pluck() in wp_targeted_link_rel_callback() to maintain compatibility with PHP versions below 5.5

New Features

No new features were introduced in this security release. WordPress 5.1.4 focuses exclusively on security fixes and bug patches to address vulnerabilities in the previous version.

Security Updates

XSS Vulnerabilities Patched

• Fixed a stored XSS vulnerability in the block editor that could potentially allow certain users to inject malicious scripts
• Updated wp_targeted_link_rel() to prevent stored XSS attacks through malformed links
• Enhanced wp_kses_bad_protocol() to properly recognize and handle the : HTML5 named entity in URI attributes, closing a potential security bypass
• Prevented escaped unicode characters from becoming unescaped in unsafe HTML during JSON decoding, which could lead to XSS vulnerabilities

These security fixes address multiple ways that malicious actors could potentially inject harmful scripts into WordPress sites, making this update critical for all installations.

Performance Improvements

No specific performance improvements were included in this release. WordPress 5.1.4 is primarily focused on security fixes and bug patches.

Impact Summary

WordPress 5.1.4 is a security-focused maintenance release that addresses several critical vulnerabilities. The most significant impact is the patching of multiple stored XSS vulnerabilities that could allow malicious actors to inject harmful scripts into WordPress sites.

The update improves security in three key areas:

1. Block editor security hardening
2. Link handling and processing
3. Permission validation for sticky posts

Additionally, the release improves PHP compatibility by replacing array_column() with wp_list_pluck() to support older PHP versions.

While this release doesn't introduce new features or performance improvements, it significantly enhances the security posture of WordPress installations and should be applied immediately to all sites running WordPress 5.1.x.