WordPress Release: 5.2.17

TL;DR

WordPress 5.2.17 is a security and maintenance release that introduces support status indicators for future use, implements multiple security fixes, and includes editor package updates. This release focuses on hardening WordPress against potential vulnerabilities and preparing for future maintenance communications, particularly for versions approaching end-of-security-support status.

Highlight of the Release

• Introduction of strings to indicate security support status for future maintenance notifications
• Multiple security fixes across core WordPress components including REST API, media, customizer, and more
• Editor package updates with bug fixes for block library and edit-post components
• Enhanced security for post-by-email functionality and trackbacks

Migration Guide

No specific migration steps are required for this update. This is a standard security and maintenance release that should be applied through the normal WordPress update process.

Site administrators should:

1. Back up their website before updating
2. Update to WordPress 5.2.17 through the WordPress dashboard or via manual update
3. Test their site functionality after the update

No database schema changes or breaking changes are included in this release.

Upgrade Recommendations

This release contains important security fixes across multiple WordPress components. All users are strongly encouraged to update to WordPress 5.2.17 immediately.

The security improvements in this release address potential vulnerabilities in the REST API, media handling, customizer, and other core components. Maintaining the latest security updates is crucial for protecting your WordPress site from potential attacks.

For users on WordPress 5.2.x, this is a straightforward update that should not cause any compatibility issues with existing themes or plugins.

Bug Fixes

Security and Bug Fixes

• Media: Refactored search by filename within the admin for improved security
• REST API: Implemented lockdown of post parameter in the terms endpoint
• Customize: Added escaping for blogname option in underscores templates
• Query: Added validation for relation in WP_Date_Query
• Posts/Post Types:
  • Applied KSES to post-by-email content for better security
  • Removed emails from post-by-email logs to protect user privacy
• General: Added host validation on "Are you sure?" screen
• Pings/Trackbacks: Applied KSES to all trackbacks
• Mail: Reset PHPMailer properties between use to prevent information leakage
• Comments: Applied KSES when editing comments
• Widgets: Added escaping for RSS error messages

New Features

Support Status Indicators

• Added new strings to indicate when a WordPress version is no longer receiving security updates
• Added strings to indicate when a WordPress version will shortly stop receiving security updates
• These strings are being made available to translators in preparation for future maintenance releases

Editor Package Updates

• Updated @wordpress/block-library to version 2.4.13
• Updated @wordpress/edit-post to version 3.3.13
• These updates include bug fixes for the block editor components

Security Updates

Security Enhancements

• REST API: Locked down post parameter of the terms endpoint to prevent potential vulnerabilities
• Media: Improved security in admin file search functionality
• Customizer: Enhanced escaping for blogname option in underscores templates
• Query: Added validation for relation parameter in WP_Date_Query to prevent potential SQL injection
• Post-by-Email:
  • Applied KSES filtering to post-by-email content
  • Removed email addresses from post-by-email logs to protect user privacy
• Authentication: Added host validation on the "Are you sure?" screen
• Trackbacks: Applied KSES to all trackbacks to prevent XSS vulnerabilities
• Mail: Reset PHPMailer properties between uses to prevent information leakage
• Comments: Enhanced security by applying KSES when editing comments
• Widgets: Escaped RSS error messages to prevent potential XSS vulnerabilities

Performance Improvements

No specific performance improvements were highlighted in this release. The focus was primarily on security enhancements and bug fixes rather than performance optimizations.

Impact Summary

WordPress 5.2.17 is primarily a security-focused release that strengthens WordPress against potential vulnerabilities across multiple components. The addition of support status indicator strings prepares the groundwork for future maintenance communications, particularly for versions approaching end-of-security-support.

The security improvements span many core WordPress components including the REST API, media handling, customizer, post-by-email functionality, comments, and widgets. These changes help protect WordPress sites from potential XSS attacks, information disclosure, and other security issues.

Editor package updates address bugs in the block library and edit-post components, improving the editing experience. While this release doesn't introduce major new features, it represents an important step in WordPress's ongoing commitment to security and maintenance of older branches.

This release is particularly important for sites still running on the 5.2.x branch, as it provides critical security updates to keep these installations protected.