WordPress Release: 5.2.3

TL;DR

WordPress 5.2.3 is a security and maintenance release that addresses several important security vulnerabilities and includes numerous bug fixes and accessibility improvements. This update focuses on enhancing the user experience with fixes for the Block Editor, Media Library, Customizer, and various UI components. The release also improves RTL language support and includes theme updates for Twenty Seventeen and Twenty Nineteen. All WordPress site owners are strongly encouraged to update to this version immediately to protect their sites from security vulnerabilities.

Highlight of the Release

• Multiple security fixes including improved URL validation and sanitization
• Extensive accessibility improvements across the admin interface
• Fixed issues with the Media Library modal dialog and improved keyboard navigation
• Menu management improvements including fixed Custom Links text fallback and URL whitespace trimming
• Block Editor fixes and enhancements
• Theme updates for Twenty Seventeen and Twenty Nineteen

Migration Guide

No specific migration steps are required for this update. WordPress 5.2.3 is a maintenance and security release that should not break existing functionality.

However, as with any WordPress update, it's recommended to:

1. Back up your website before updating
2. Test the update on a staging environment if possible
3. Check plugin and theme compatibility after updating
4. Review your site thoroughly after the update to ensure everything works as expected

If you're using custom code that interacts with any of the fixed functions (particularly URL validation or sanitization functions), you may want to test those specific functionalities after updating.

Upgrade Recommendations

Immediate upgrade is strongly recommended for all WordPress sites.

WordPress 5.2.3 contains several important security fixes that address vulnerabilities in WordPress core. These security issues could potentially be exploited if left unpatched.

The update also includes numerous bug fixes and accessibility improvements that enhance the overall user experience and site functionality.

This is a maintenance release, so the risk of compatibility issues with existing plugins and themes is minimal. The benefits of the security fixes far outweigh any potential risks of updating.

To update:

1. Back up your website
2. Use the automatic update feature in your WordPress dashboard
3. Alternatively, download the update from WordPress.org and perform a manual update

If you manage multiple WordPress sites, prioritize updating all of them as soon as possible.

Bug Fixes

User Interface and Functionality Fixes

• Menus: Fixed Custom Links text fallback, restoring the original behavior of using "Menu Item" as fallback text instead of "(Pending)"
• Menus and Customizer: Now trim whitespace from custom link URLs
• Block Editor: Fixed undefined $locked variable in edit-form-blocks.php when the show_post_locked_dialog filter is used
• Block Editor: Fixed the link to the classic editor when incompatible meta boxes are detected
• Block Editor: Avoided PHP warnings when themes add editor styles with empty filenames
• Plugins: Fixed plugin details modal layout
• Customize: Fixed text direction for color picker in RTL languages
• Customize: Made the color picker close when clicking on the empty area on the right
• Media: Fixed the order of Previous, Next, and Close buttons in the Attachment Details modal
• Media: Ensured the bottom media toolbar content is fully visible with Internet Explorer 11
• Media: Reduced bulk media options to have one primary button
• Formatting: Fixed conversion of smilies in ignored tags that have attributes
• Site Health: Used correct variable when checking PHP requirements for plugin updates

Theme-specific Fixes

• Twenty Nineteen: Revised Latest Posts block styles to support post content options
• Twenty Seventeen: Added missing focus state for native audio and video embeds
• Twenty Seventeen: Corrected CSS selectors for MediaElement controls hover colors
• Twenty Seventeen: Fixed height for Button blocks without text

New Features

Enhanced Security Measures

WordPress 5.2.3 introduces several important security improvements:

• Improved URL validation in wp_validate_redirect()
• Enhanced sanitization in wp_kses_bad_protocol_once()
• Updated handling of the existing rel attribute in wp_rel_nofollow_callback()
• Removed _convert_urlencoded_to_entities() from the get_the_content() callback
• Escaped output in wp_ajax_upload_attachment()
• Added HTML sanitization to wp.a11y.speak() before display

These changes strengthen WordPress core against potential security vulnerabilities and improve overall site security.

Security Updates

Critical Security Fixes

WordPress 5.2.3 addresses several important security vulnerabilities:

1. URL Validation and Sanitization:

   • Improved URL validation in wp_validate_redirect() to prevent potential redirect vulnerabilities
   • Enhanced URL sanitization in wp_kses_bad_protocol_once() to better protect against malicious URLs

2. Output Escaping:

   • Added proper escaping to the output in wp_ajax_upload_attachment() to prevent potential XSS attacks
   • Removed _convert_urlencoded_to_entities() from the get_the_content() callback for better security

3. HTML Sanitization:

   • Updated wp.a11y.speak() to sanitize HTML before display, preventing potential script injection
   • Improved handling of the existing rel attribute in wp_rel_nofollow_callback() for better security

These security fixes address vulnerabilities that could potentially be exploited by malicious actors. All WordPress site owners are strongly encouraged to update to version 5.2.3 immediately to protect their sites.

Performance Improvements

No specific performance improvements were highlighted in this release. The focus was primarily on security enhancements, bug fixes, and accessibility improvements rather than performance optimizations.

Impact Summary

WordPress 5.2.3 delivers significant improvements in security, accessibility, and overall user experience. The security enhancements are particularly important, addressing several vulnerabilities in core WordPress functions related to URL validation, sanitization, and output escaping.

The accessibility improvements are extensive, making WordPress more usable for people with disabilities. These include proper ARIA attributes for modal dialogs, improved keyboard navigation, better screen reader support, and fixed heading hierarchies throughout the admin interface.

Bug fixes address issues across multiple areas including the Block Editor, Media Library, Customizer, and menu management. These fixes improve the day-to-day experience for content creators and site administrators.

The update also includes specific improvements for RTL language users, enhancing the experience for international WordPress users.

For developers, the release includes documentation fixes and addresses PHP warnings that could occur in certain scenarios.

Overall, this release strengthens WordPress security while improving usability for all users, with particular benefits for accessibility users and content creators working with the Block Editor and Media Library.