WordPress Release: 5.2.12

TL;DR

WordPress 5.2.12 brings important security updates and bug fixes to the popular CMS platform.

This maintenance release focuses on security improvements by updating the Lodash dependency to version 4.17.21 to address potential vulnerabilities. It also includes a fix for JSONP REST API requests handling and enhances the block editor security by disabling certain rich text attributes. Performance optimizations have been implemented through webpack configuration changes for more deterministic module IDs.

This update is recommended for all WordPress 5.2.x users to maintain site security and stability.

Highlight of the Release

• Updated Lodash dependency to version 4.17.21 to address security vulnerabilities
• Improved JSONP REST API request handling with dedicated handler function
• Enhanced block editor security by disabling certain rich text attributes
• Optimized performance with deterministic webpack module IDs

Migration Guide

for WordPress 5.2.12

This is a maintenance and security release that doesn't require specific migration steps. However, here are some recommendations:

1. Backup your site before updating as a standard precaution.

2. For developers working with JSONP REST API requests: Be aware that these requests now exclusively use the _jsonp_wp_die_handler() function. If you've implemented custom handling for these requests, you may need to review your code.

3. For plugin developers using rich text in the block editor: Some attributes have been disabled for rich text. Test your plugins after updating to ensure they still function as expected.

4. For developers using Lodash: The library has been updated to version 4.17.21. If you rely on specific Lodash functionality, verify compatibility with this version.

Upgrade Recommendations

Priority: High

WordPress 5.2.12 contains important security fixes, including an update to the Lodash library to address known vulnerabilities. All users running WordPress 5.2.x are strongly encouraged to update to this latest release as soon as possible.

For users on older branches, this release underscores the importance of running a supported WordPress version. If you're running a version older than 5.2, consider updating to the latest supported release for the most current security protections.

The update process should be straightforward:

1. Back up your website files and database
2. Update through the WordPress dashboard or via manual update
3. Test your site functionality after the update

No special post-update procedures are required for most users.

Bug Fixes

REST API Improvements

• JSONP Request Handling: Fixed how WordPress handles JSONP REST API requests by ensuring they only use the dedicated _jsonp_wp_die_handler() function, improving stability and security of these requests.

Block Editor Fixes

• Rich Text Security: Disabled certain attributes for rich text in the block editor to prevent potential security issues.

New Features

Enhanced Security Measures

• Lodash Update: The Lodash JavaScript library has been updated to version 4.17.21, which includes important security patches for potential vulnerabilities.

Performance Optimizations

• Webpack Configuration Improvements: Implemented hashed/deterministic moduleIDs in the webpack configuration, which helps with more consistent builds and potentially better caching.

Security Updates

Critical Security Updates

• Lodash Library Update: Updated the Lodash JavaScript library from previous version to 4.17.21 to address known security vulnerabilities. This update patches potential prototype pollution issues and other security concerns in the library.

• REST API Security: Improved the security of JSONP REST API requests by ensuring they only use the dedicated _jsonp_wp_die_handler() function, preventing potential misuse of these endpoints.

• Block Editor Protection: Enhanced security in the block editor by disabling certain attributes for rich text that could potentially be exploited.

Performance Improvements

Build System Optimizations

• Deterministic Module IDs: Implemented hashed/deterministic moduleIDs in the webpack configuration, which provides more consistent builds and can improve caching behavior in the browser.

• JavaScript Performance: The update to Lodash 4.17.21 may also bring performance improvements alongside the security fixes, as newer versions often include optimizations.

Impact Summary

WordPress 5.2.12 is primarily a security and maintenance release that addresses several important vulnerabilities and bugs. The most significant impact comes from the Lodash library update to version 4.17.21, which patches security vulnerabilities that could potentially be exploited in WordPress installations.

The changes to JSONP REST API request handling improve the security posture of WordPress sites by ensuring proper handler functions are used, reducing the risk of API-related exploits. This change is mostly transparent to end users but provides important protection behind the scenes.

For content creators and site administrators, the restrictions on certain rich text attributes in the block editor might cause subtle changes in editing behavior, but these changes are necessary security improvements that protect against potential exploits.

Developers will benefit from the webpack configuration improvements that implement deterministic module IDs, potentially improving build consistency and performance.

Overall, this release represents an important security update that all WordPress 5.2.x users should apply promptly to maintain site security and stability.