WordPress Release: 5.2.18

TL;DR

WordPress 5.2.18 is a maintenance and security release that addresses several security vulnerabilities and includes improvements to GitHub Actions workflows. This release focuses on enhancing security by fixing CSRF issues with attachment thumbnails, adding protocol validation for embeds, introducing locale sanitization, and ensuring block comments are properly validated. It also includes updates to testing tools and internationalization improvements for end-of-life notifications.

Highlight of the Release

• Security fixes for CSRF vulnerability in attachment thumbnails
• Protocol validation added for WordPress Embed code
• New locale sanitization function for internationalization
• Block comment validation improvements
• Refactored HTTP API tests to remove external dependencies
• Updated GitHub Actions workflows for better CI/CD reliability

Migration Guide

Migration Notes

This maintenance release does not introduce any breaking changes that would require specific migration steps. The security fixes and improvements are backward compatible with previous WordPress 5.2.x versions.

For developers who are using GitHub Actions in their WordPress-based projects, note that some syntax has been updated to address deprecated notices related to save-output and set-output. If you've copied these workflows for your own use, you may want to update your workflows accordingly.

Upgrade Recommendations

Priority: High

This release contains several important security fixes that address vulnerabilities in WordPress core. All WordPress site administrators should update to version 5.2.18 as soon as possible.

The security fixes in this release address:

• CSRF vulnerability in attachment thumbnails
• Protocol validation for embeds
• Locale sanitization
• Block comment validation

For sites on the WordPress 5.2 branch, this update is essential for maintaining site security. If you're running an older version of WordPress, consider updating to the latest supported version for additional security improvements and features.

Bug Fixes

HTTP API Fixes

• Refactored test for multiple location headers in WP_HTTP::handle_redirects()
• Removed wordpress.org as an external dependency for testing redirects
• Moved tests from external-http group to the http test group

Security-Related Bug Fixes

• Fixed CSRF vulnerability in setting attachment thumbnails
• Added protocol validation for WordPress Embed code
• Ensured block comments are validated properly to prevent security issues

New Features

New Internationalization Features

• Added new translation strings to about.php for use with end-of-life updates, allowing for better localization of final version notifications
• Introduced a new sanitization function for locales to improve security of internationalization features

CI/CD Improvements

• Backported multiple updates to GitHub Actions workflows:
  • Updated deprecated save-output and set-output syntax
  • Added automatic retry functionality for failed workflows
  • Removed workflow files not applicable to the branch
  • Updated Docker environment tooling for consistency across branches

Security Updates

Critical Security Fixes

• Media Security: Fixed a CSRF vulnerability in setting attachment thumbnails that could potentially allow unauthorized changes to media files
• Embed Security: Added protocol validation for WordPress Embed code to prevent potential security issues with malicious embeds
• Internationalization Security: Introduced a new sanitization function for locales to prevent potential injection attacks
• Editor Security: Improved validation for block comments to ensure they are of a valid form, preventing potential XSS vulnerabilities

These security fixes address important vulnerabilities that could potentially be exploited in WordPress installations. All users are strongly encouraged to update to this version immediately.

Performance Improvements

Testing Performance Improvements

• Refactored HTTP API tests to no longer make actual HTTP requests, improving test reliability and speed
• Updated GitHub Actions workflows for more efficient CI/CD processes
• Improved Docker environment tooling for more consistent and efficient testing environments

Impact Summary

WordPress 5.2.18 is primarily a security-focused maintenance release that addresses several vulnerabilities while also improving the development and testing infrastructure. The security fixes target potential CSRF attacks in media handling, embed protocol validation, locale sanitization, and block comment validation.

For site administrators, this release provides critical security enhancements without introducing breaking changes. The addition of new translation strings for end-of-life notifications will help improve communication when branches reach their support end date.

For developers, the refactored HTTP API tests and GitHub Actions workflow improvements provide more reliable testing environments and remove external dependencies, making the development process more robust.

This release demonstrates WordPress's ongoing commitment to security maintenance even for older branches, ensuring that sites that haven't yet upgraded to newer major versions remain protected against newly discovered vulnerabilities.