WordPress Release: 5.3.15

TL;DR

WordPress 5.3.15 is a maintenance and security release that addresses several important issues. It includes security fixes for CSRF vulnerabilities in media attachment thumbnails and adds protocol validation for WordPress embed code. The release also improves internationalization with a new locale sanitization function, ensures block comments are properly validated, and updates GitHub Actions workflows to address deprecated notices. Additionally, it adds new translation strings for end-of-life updates and refactors HTTP API tests to remove external dependencies.

Highlight of the Release

• Security fixes for CSRF vulnerabilities in media attachment thumbnails
• Added protocol validation for WordPress embed code
• New locale sanitization function for internationalization
• Block comment validation improvements
• Updated GitHub Actions workflows to address deprecated notices
• Added new translation strings for end-of-life updates
• Refactored HTTP API tests to remove external dependencies

Migration Guide

This maintenance and security release doesn't require any specific migration steps. It's recommended to update to WordPress 5.3.15 as soon as possible to benefit from the security fixes and improvements.

If you're a developer who has been using the HTTP API tests with external dependencies, note that the WP_HTTP::handle_redirects() test has been moved from the external-http group to the http test group as it no longer makes an HTTP request.

Upgrade Recommendations

It is strongly recommended to upgrade to WordPress 5.3.15 as soon as possible due to the security fixes included in this release. The update addresses several security vulnerabilities including CSRF protection for media attachments and protocol validation for embeds.

This is a maintenance and security release that should be safe to apply to all WordPress 5.3.x installations. As with any update, it's always a good practice to back up your site before upgrading.

For users on older versions of WordPress, consider updating to the latest major version (WordPress 6.x) if possible, as WordPress 5.3 is approaching its end-of-life.

Bug Fixes

• HTTP API Test Refactoring: Refactored and re-enabled an existing test to call the WP_HTTP::handle_redirects() method directly with a mocked array of HTTP headers containing multiple location headers, removing wordpress.org as an external dependency for testing.

• Block Editor: Ensured block comments are of a valid form, preventing potential issues with malformed comments.

New Features

and Enhancements

• End-of-Life Update Notifications: Added new translation strings in about.php for use when releasing the final version of WordPress on a particular branch, improving communication about version support lifecycle.

• Locale Sanitization: Introduced a new sanitization function for locales to enhance internationalization security and reliability.

• GitHub Actions Improvements:

  • Added support for automatically retrying failed workflows once
  • Updated workflows to ensure consistency across branches
  • Improved Docker environment related tooling

Security Updates

• Media Attachment Security: Fixed a CSRF (Cross-Site Request Forgery) vulnerability in setting attachment thumbnails, preventing potential unauthorized modifications to media files.

• Embed Code Protection: Added protocol validation for WordPress Embed code to prevent potential security issues with malicious embed sources.

• Block Comment Validation: Improved validation of block comments to ensure they are in a valid form, preventing potential security issues related to malformed comments.

• Locale Handling: Introduced a sanitization function for locales to prevent potential security issues related to improper locale handling.

Performance Improvements

• GitHub Actions Optimization: The updates to GitHub Actions workflows improve the build and test process efficiency by addressing deprecated notices and adding automatic retry functionality for failed workflows.

• Test Suite Improvements: By removing external dependencies in HTTP API tests, the test suite runs more efficiently and reliably without requiring external network connections.

Impact Summary

WordPress 5.3.15 is primarily a security and maintenance release that addresses several important vulnerabilities and improves the codebase. The security fixes for CSRF in media attachments and protocol validation for embeds directly enhance site security for all WordPress users.

For developers, the refactored HTTP API tests improve the testing environment by removing external dependencies, making tests more reliable and faster. The introduction of a locale sanitization function provides better tools for handling internationalization securely.

The GitHub Actions workflow improvements, while mostly behind-the-scenes, ensure that the WordPress development and testing infrastructure remains robust and efficient, addressing deprecated notices and adding automatic retry functionality.

The addition of new translation strings for end-of-life updates improves communication about version support lifecycle, which will be particularly relevant as WordPress 5.3 approaches its end-of-life.

Overall, this release demonstrates WordPress's ongoing commitment to security, code quality, and developer experience improvements even in maintenance releases.