WordPress Release: 5.1.5

TL;DR

WordPress 5.1.5 is a security and maintenance release that addresses several important security vulnerabilities and includes various bug fixes. This update focuses on preventing JSON corruption in the Customizer, improving user security by invalidating activation keys on password updates, fixing query issues, and enhancing UTF-8 character support in file names. The release also includes several test and build tool improvements to streamline the development process.

Highlight of the Release

• Security improvements to prevent JSON corruption in the Customizer
• Enhanced user security by invalidating activation keys on password updates
• Fixed query handling to ensure only a single post is returned on date/time based queries
• Improved UTF-8 character support in file names
• Better escaping in the cache API stats method

Migration Guide

This is a security and maintenance release that doesn't require any special migration steps. It's recommended to update to WordPress 5.1.5 as soon as possible to benefit from the security improvements.

To update WordPress:

1. Back up your website files and database before updating
2. Update through the WordPress admin dashboard by going to Dashboard > Updates
3. Alternatively, download the update from WordPress.org and perform a manual update

No database schema changes are included in this release, so the update process should be smooth and quick.

Upgrade Recommendations

Priority: High

This release contains several important security fixes that protect against potential vulnerabilities. All WordPress site administrators should update to version 5.1.5 as soon as possible.

The update is compatible with existing WordPress 5.1.x installations and doesn't introduce any breaking changes. The security improvements alone make this update highly recommended for all users.

If you're running an older version of WordPress (prior to 5.1), consider updating to the latest version of WordPress instead of just 5.1.5, as newer major versions contain additional security improvements and features.

Bug Fixes

• Query Handling: Fixed an issue to ensure that only a single post can be returned on date/time based queries, preventing potential duplicate content problems.
• Block Editor: Addressed coding standards issues by properly escaping class names in the Block Editor.
• Cache API: Improved escaping around the stats method in the cache API to prevent potential security issues.
• Test Framework: Corrected assertions in test_site_dates_are_gmt() by using the appropriate assertion methods with delta comparison to avoid race conditions.

New Features

Enhanced Security Features

• Customizer JSON Protection: Added additional filters to prevent JSON corruption in the Customizer, protecting against potential security vulnerabilities.
• User Activation Key Handling: Improved security by automatically invalidating user_activation_key when passwords are updated.
• Better UTF-8 Support: Expanded sanitize_file_name function to provide better support for UTF-8 characters, improving internationalization capabilities.

Security Updates

• User Authentication: Enhanced security by invalidating user activation keys whenever passwords are updated, reducing the risk of unauthorized access.
• Customizer Protection: Added filters to prevent JSON corruption in the Customizer, protecting against potential injection attacks.
• Cache API Security: Improved escaping around the stats method in the cache API to prevent potential security vulnerabilities.
• Query Protection: Fixed an issue with date/time based queries to ensure only a single post is returned, preventing potential data exposure.

Performance Improvements

• Build/Test Tools: Trimmed the test matrix on Travis CI to speed up the 5.1 branch build process.
• Test Optimization: Removed several PHP version jobs (7.2, 7.1, 5.5, 5.4, and 5.3) from the test matrix to improve build times.
• PHPUnit Integration: Improved PHPUnit information display for PHP tests only, avoiding build errors on the travis:format job caused by version compatibility issues.

Impact Summary

WordPress 5.1.5 is primarily a security and maintenance release that addresses several important vulnerabilities and bugs. The security improvements focus on preventing JSON corruption, protecting user accounts, and ensuring proper data handling in queries.

The release improves the security posture of WordPress sites by invalidating user activation keys on password updates and adding filters to prevent JSON corruption in the Customizer. These changes help protect against potential unauthorized access and injection attacks.

For developers, the expanded support for UTF-8 characters in file names improves internationalization capabilities, making WordPress more accessible to users worldwide. The fixes to the query handling ensure more reliable content delivery, particularly for date/time based queries.

The build and test improvements, while not directly visible to end users, help maintain WordPress's quality by streamlining the development process and ensuring more reliable testing.

Overall, this release represents an important security update that all WordPress site administrators should apply promptly to protect their websites and users.