WordPress Release: 5.3.5

TL;DR

WordPress 5.3.5 is a security and maintenance release that addresses several security vulnerabilities and includes various improvements to build tools and testing infrastructure. This update focuses on enhancing security across multiple components including XML-RPC, embeds, meta handling, and theme functionality, while also improving developer tools for better compatibility with modern environments.

Highlight of the Release

• Multiple security enhancements across XML-RPC, embeds, and theme functionality
• Improved build tools compatibility with modern development environments
• Better backward compatibility for screen option filters
• Enhanced Docker testing environment with more flexible PHPUnit version selection

Migration Guide

No specific migration steps are required for this release. This is a security and maintenance update that should be applied as soon as possible without breaking existing functionality.

Upgrade Recommendations

This release contains important security fixes and is recommended for all WordPress installations. Site administrators should update to WordPress 5.3.5 immediately to protect their sites from the security vulnerabilities addressed in this release.

For those using automatic background updates, your site may already be updated. If not, we strongly recommend manually initiating the update from your WordPress dashboard or through your hosting provider.

Bug Fixes

Administration Fixes

• Fixed backward compatibility issue with screen options by passing the result of set-screen-option filter to the new set_screen_option_{$option} filter
• Renamed the $keep parameter to $screen_option in both filters for better clarity
• Updated documentation to better reflect the purpose of these parameters

Build Tool Fixes

• Fixed Composer 2.0 compatibility by updating dealerdirect/phpcodesniffer-composer-installer package to allow installing version 0.7.0
• Temporarily skipped PDF tests when they fail due to ImageMagick permission errors

New Features

Build Tool Improvements

• Added explicit NodeJS version specification in .nvmrc file to ensure compatibility with nvm install and nvm use commands
• Introduced LOCAL_PHPUNIT environment variable to specify PHPUnit version when running tests in Docker environment
• Updated Docker install script to specify types when using wp config set to prevent errors with older WordPress/PHP/WP-CLI combinations

Security Updates

Security Enhancements

• XML-RPC: Improved error messages for unprivileged users to prevent information disclosure
• XML-RPC: Added error message return when attachment ID is incorrect
• External Libraries: Disabled deserialization in Requests_Utility_FilteredIterator to prevent potential object injection
• Embeds: Disabled embeds on deactivated Multisite sites to prevent potential misuse
• Meta: Added sanitization of meta keys before checking protection status
• Themes: Ensured that only privileged users can set background images when a theme uses the deprecated custom background page
• Coding Standards: Modified escaping functions to avoid potential false positives that could lead to security issues
• Upgrade/Install: Improved logic check when determining installation status to prevent potential security issues

Performance Improvements

No specific performance improvements were mentioned in this release.

Impact Summary

WordPress 5.3.5 is primarily a security-focused release that addresses several vulnerabilities across different components of the CMS. The security fixes target XML-RPC functionality, embed handling, meta sanitization, and theme capabilities to prevent potential exploits.

For developers, this release improves compatibility with modern development tools like Composer 2.0 and provides better flexibility for testing environments. The explicit NodeJS version specification and PHPUnit version selection options make it easier to work with the WordPress codebase across different environments.

The administration improvements enhance backward compatibility for screen options, ensuring plugins that rely on this functionality continue to work properly.

Overall, this release strengthens WordPress security posture while making incremental improvements to the development experience without introducing breaking changes.