WordPress Release: 5.2.21

TL;DR

WordPress 5.2.21 is a maintenance and security release that addresses a path traversal vulnerability in the Template-Part Block on Windows systems and improves test reliability by using WordPress.org CDN images for external HTTP tests. This release is important for WordPress site owners running version 5.2, especially those on Windows servers, as it patches a security vulnerability that could potentially be exploited.

Highlight of the Release

• Fixed a path traversal security vulnerability in the Template-Part Block on Windows systems
• Improved test reliability by using WordPress.org CDN images for external HTTP tests
• Addressed issues with image size variations in tests due to WP.com compression changes

Migration Guide

No specific migration steps are required for this update. This is a standard maintenance and security release that can be applied through the normal WordPress update process.

To update:

1. Back up your WordPress site
2. Update through the WordPress admin dashboard or via your preferred method
3. Verify your site functions correctly after the update

Upgrade Recommendations

This update is highly recommended for all WordPress 5.2.x users, especially those running WordPress on Windows servers.

The security fix for the path traversal vulnerability in the Template-Part Block is critical for maintaining the security of your WordPress installation on Windows systems. All users should update to WordPress 5.2.21 as soon as possible.

For those who have already moved to newer major versions of WordPress (5.3+), this update does not apply, as you are already on a more recent branch with these fixes included.

Bug Fixes

Test Reliability Improvements

• Fixed issues with external HTTP tests by using images from the WordPress.org CDN
• Addressed test reliability problems caused by WP.com's on-the-fly image compression that resulted in inconsistent image sizes across different platforms
• Made affected tests more reliable by using standardized image sources

This change follows up on several previous improvements to WordPress testing infrastructure (referenced commits: 139/tests, 31258, 34568, 47142, 57903, 57904, 57924).

New Features

No significant new features were added in this maintenance and security release. WordPress 5.2.21 focuses on security fixes and test improvements rather than introducing new functionality.

Security Updates

Path Traversal Vulnerability Fix

Fixed a path traversal security vulnerability in the Template-Part Block when running WordPress on Windows systems. This vulnerability could potentially allow attackers to access files outside of the intended directory structure by manipulating file paths.

This security fix was merged from commit [58470] to the 5.2 branch.

Performance Improvements

No specific performance improvements were included in this release. WordPress 5.2.21 primarily focuses on security fixes and test reliability improvements.

Impact Summary

WordPress 5.2.21 is primarily a security and maintenance release that addresses a specific path traversal vulnerability affecting Windows-based WordPress installations. While the changes are minimal in scope, the security implications are significant for affected systems.

The release also improves the reliability of WordPress's test suite by addressing issues with external HTTP tests, which will benefit the development process but has minimal direct impact on end users.

Site administrators should prioritize this update if they are running WordPress 5.2.x, particularly on Windows servers. The security fix addresses a vulnerability that could potentially be exploited to access files outside of the intended directory structure.

For the broader WordPress ecosystem, this release represents WordPress's ongoing commitment to maintaining security and stability in older supported branches.