WordPress Release: 5.2.13

TL;DR

WordPress 5.2.13 is a maintenance and security release that addresses critical issues with Let's Encrypt certificate validation and updates testing infrastructure. The update removes an expired DST Root CA X3 certificate that was causing validation failures with Let's Encrypt certificates on older OpenSSL versions. It also introduces the PHPUnit Polyfills package to improve cross-version testing capabilities for WordPress developers.

Highlight of the Release

• Fixed Let's Encrypt certificate validation by removing expired DST Root CA X3 certificate
• Introduced PHPUnit Polyfills package for improved cross-version testing
• Updated default package script versions for better compatibility
• Added support for both camelCase and snake_case fixture methods in test infrastructure

Migration Guide

No specific migration steps are required for this update. WordPress 5.2.13 is a maintenance and security release that should be applied through the standard WordPress update process.

For developers working with the WordPress testing infrastructure:

• If you've created custom test cases that extend WP_UnitTestCase, you can now use either camelCase or snake_case fixture methods
• The PHPUnit Polyfills package is now available for use in your tests
• Review any custom test infrastructure that might interact with the certificate validation process

Upgrade Recommendations

Immediate Upgrade Recommended

This is a security and maintenance release that addresses critical issues with SSL/TLS certificate validation. All WordPress site administrators should update to version 5.2.13 as soon as possible.

The update is particularly important for:

• Sites using Let's Encrypt certificates
• Environments running older versions of OpenSSL (especially 1.0.2)
• Developers who maintain tests across multiple WordPress versions

WordPress 5.2.13 is compatible with existing plugins and themes and should not cause any disruption to your site's functionality.

Bug Fixes

Let's Encrypt Certificate Validation Fix

This release removes the DST Root CA X3 certificate that expired on September 30, 2021, from WordPress's trusted certificate bundle. This addresses a critical issue where sites using OpenSSL 1.0.2 could experience certificate validation failures with Let's Encrypt certificates.

The issue occurred because OpenSSL 1.0.2 would prefer the untrusted chain containing the expired DST Root CA X3 certificate, causing SSL/TLS connections to fail. By removing this expired certificate, WordPress ensures proper certificate validation on all supported systems.

Test Forward-Compatibility Layer Fix

Fixed an issue in the test infrastructure where wrapper methods were not being called due to naming inconsistencies. The update ensures that both camelCase and snake_case fixture methods are properly recognized and executed in the correct order during tests.

New Features

PHPUnit Polyfills for Cross-Version Testing

WordPress 5.2.13 introduces the PHPUnit Polyfills package to the testing infrastructure. This addition makes it easier for developers to write and maintain tests that work across multiple versions of WordPress and PHP.

The package provides:

• Compatibility layers for different PHPUnit versions
• Support for both camelCase and snake_case fixture methods
• Wrappers for newer PHPUnit practices that maintain backward compatibility

This enhancement is particularly valuable for plugin and theme developers who need to ensure their code works across a wide range of WordPress installations.

Security Updates

SSL/TLS Certificate Validation Security Fix

This release addresses a security concern related to SSL/TLS certificate validation. By removing the expired DST Root CA X3 certificate from WordPress's trusted certificate bundle, the update prevents potential certificate validation failures that could affect secure connections to WordPress sites.

This is particularly important for sites using Let's Encrypt certificates in combination with older versions of OpenSSL (specifically 1.0.2), which would otherwise fail to establish secure connections after the certificate's expiration on September 30, 2021.

Performance Improvements

Script Loader Improvements

WordPress 5.2.13 synchronizes default package script versions in the 5.2 branch, ensuring that all dependencies are up-to-date. This helps maintain consistent performance across WordPress installations and reduces potential compatibility issues with third-party plugins and themes.

Impact Summary

WordPress 5.2.13 delivers critical security and maintenance improvements that enhance the platform's stability and security. The removal of the expired DST Root CA X3 certificate resolves potential SSL/TLS validation issues with Let's Encrypt certificates, particularly on systems running older versions of OpenSSL.

For WordPress developers, the introduction of the PHPUnit Polyfills package significantly improves the testing infrastructure, making it easier to write and maintain tests that work across multiple versions of WordPress and PHP. This is especially valuable for plugin and theme developers who need to support a wide range of WordPress installations.

The update also synchronizes default package script versions, ensuring consistent performance and compatibility across WordPress installations. Overall, this release focuses on maintaining WordPress's security, stability, and developer experience without introducing breaking changes.