WordPress Release: 5.3.1

TL;DR

WordPress 5.3.1 is a maintenance and security release that addresses numerous bugs and includes several security fixes. This update improves accessibility, fixes issues with the Twenty Twenty theme, resolves media handling problems, addresses date/time functionality, and enhances the block editor experience. The release also includes important security patches for stored XSS vulnerabilities and permission checks.

Highlight of the Release

• Security fixes for multiple stored XSS vulnerabilities
• Fixed race condition in options API that could cause data loss when updating autoloaded options
• Improved accessibility with standardized form controls and better button styling
• Twenty Twenty theme enhancements including smooth scrolling with CSS and author bio toggle
• Better image handling with fixes for PNG scaling and unique filename generation
• Enhanced date/time handling with proper timezone support

Migration Guide

This is a maintenance and security release with no breaking changes that require specific migration steps. It's recommended to update to WordPress 5.3.1 as soon as possible to benefit from the security fixes and bug fixes.

If you're using custom code that relies on the following areas, you may want to review your implementation:

1. Options API: If you have custom code that updates multiple autoloaded options in rapid succession, the race condition fix may affect your implementation.

2. Date/Time Handling: If you rely on PHP's default timezone setting being changed from UTC, you should update your code to use WordPress time functions properly instead.

3. Admin Toolbar: If you have custom code that extends or modifies the admin toolbar and relies on jQuery's hoverIntent, you may need to update it to work with the new native JavaScript implementation.

Upgrade Recommendations

Upgrade Priority: High

WordPress 5.3.1 contains important security fixes that address multiple stored XSS vulnerabilities. All WordPress site owners should update to this version immediately.

The release also fixes several bugs that could impact site functionality, particularly related to:

• Image handling and uploads
• Date/time functionality
• Options API race conditions
• Twenty Twenty theme usability

This is a maintenance release that focuses on bug fixes and security improvements without introducing breaking changes, making it a safe and recommended update for all WordPress sites running version 5.3.

Bug Fixes

• Twenty Twenty Theme:

  • Fixed duplicate array key/value in TwentyTwenty_Non_Latin_Languages::get_non_latin_css()
  • Corrected alignment of author bio and bottom post meta on single posts on mobile
  • Fixed JS TypeError that prevented menu and search modals from opening on mobile WebKit browsers
  • Fixed alignment for embedded Instagram posts
  • Made comment form checkbox larger for better usability
  • Replaced JS smooth scroll implementation with CSS scroll-behavior property
  • Added prefers-reduced-motion media query for accessibility

• Media & Uploads:

  • Fixed PHP notice in image_downsize() when trying to replace a non-image URL
  • Excluded PNG images from scaling after upload to prevent cases where scaled images could have larger file sizes
  • Fixed wp_unique_filename() to prevent name collisions with image sub-size file names
  • Standardized width for Scale and Crop inputs

• Date/Time:

  • Fixed get_feed_build_date() to ensure correct timezone offset
  • Made get_permalink() more resilient against PHP timezone changes
  • Improved wp_maybe_decline_date() to properly handle word boundaries when declining month names
  • Fixed XML-RPC date handling to calculate proper GMT offset

• Block Editor:

  • Fixed edge scrolling issues
  • Resolved intermittent JavaScript issues
  • Removed CollegeHumor embed provider (service no longer exists)

• Options API:

  • Fixed race condition causing the first of two subsequent requests updating different options to lose changes

• Admin Interface:

  • Corrected checkbox width in list tables on smaller screens
  • Standardized form control height and alignment across the admin
  • Fixed appearance of language selection on install screen
  • Improved dashboard link styling with proper underlines

• Users:

  • Fixed display of Additional Capabilities list in user profile
  • Made admin email verification screen display in user's locale instead of site locale

• Widgets:

  • Fixed focus management in the Image Widget

• Comments:

  • Fixed PHP notice in comment_form() when email field is not set

• Menus:

  • Fixed PHP warning in add_submenu_page() when same value is passed for parent and menu slug

New Features

and Enhancements

• Site Health: Added a test for PHP default timezone to ensure it's set to UTC
• Twenty Twenty Theme: Added Customizer option to show or hide author bio sitewide
• Accessibility: Added aria-current attribute to Media Library switch links to help users with assistive technology
• Accessibility: Added aria-pressed attribute to active buttons within button groups
• KSES: Added support for gradient backgrounds
• Admin Email: Introduced admin_email_remind_interval filter for customizing the dismissal period of the admin email confirmation screen
• Admin Toolbar: Replaced jQuery-based hoverIntent with a native JavaScript implementation, reducing dependencies

Security Updates

• Fixed a vulnerability that allowed users to make a post sticky without proper permissions
• Patched multiple stored XSS vulnerabilities:
  • Fixed stored XSS through wp_targeted_link_rel()
  • Updated wp_kses_bad_protocol() to recognize : on URI attributes to prevent protocol validation bypass
  • Prevented stored XSS in the block editor by ensuring escaped unicode characters remain escaped during JSON decoding

Performance Improvements

• Admin Toolbar: Replaced jQuery-based hoverIntent with a native JavaScript implementation, reducing dependencies and improving performance
• Sodium Compatibility: Updated sodium_compat to v1.12.1, which includes a speedup for signature verification on most platforms and bugfixes for 32-bit platforms
• Options API: Improved handling of the alloptions cache to minimize race conditions and prevent data loss

Impact Summary

WordPress 5.3.1 is an important maintenance and security release that addresses multiple stored XSS vulnerabilities and fixes numerous bugs across the platform.

The security fixes patch vulnerabilities related to post sticky status permissions, targeted link relations, protocol validation in KSES, and block editor content handling. These fixes are critical for maintaining site security.

On the functionality side, this release resolves a significant race condition in the Options API that could cause data loss when updating autoloaded options. It also improves date/time handling with better timezone support, enhances accessibility throughout the admin interface, and fixes several issues with the Twenty Twenty theme.

Media handling sees improvements with fixes for PNG image scaling and unique filename generation. The block editor receives fixes for edge scrolling issues and other JavaScript problems.

For developers, the release adds new filters and improves API behavior, particularly around options handling and date/time functionality. It also reduces jQuery dependencies by implementing a native JavaScript version of hoverIntent for the admin toolbar.

Overall, this is a high-priority update that enhances security, fixes bugs, and improves the user experience without introducing breaking changes.