WordPress Release: 5.3.9

TL;DR

WordPress 5.3.9 brings important security updates and bug fixes to the core platform and block editor.

This maintenance release focuses on security improvements by updating the Lodash dependency to version 4.17.21 to address vulnerabilities, enhancing REST API request handling, and implementing additional security measures in the block editor. The update also includes performance optimizations through webpack configuration changes that create more deterministic module IDs.

This release is recommended for all WordPress 5.3.x users to maintain site security and stability.

Highlight of the Release

• Updated Lodash dependency to version 4.17.21 to address security vulnerabilities
• Improved REST API security by refining JSONP request handling
• Enhanced block editor security by disabling certain rich text attributes
• Optimized performance with deterministic webpack module IDs

Migration Guide

No specific migration steps are required for this update. This is a maintenance release that focuses on security improvements and bug fixes without introducing breaking changes.

To update to WordPress 5.3.9:

1. Back up your website files and database before updating
2. Update through the WordPress admin dashboard or download the update from wordpress.org
3. Test your website functionality after the update to ensure everything works as expected

No changes to themes or plugins should be necessary as a result of this update.

Upgrade Recommendations

Priority: High

All WordPress 5.3.x users should upgrade to version 5.3.9 as soon as possible due to the security improvements included in this release. The update addresses several security vulnerabilities, particularly in the Lodash dependency and REST API handling.

For users on older WordPress versions, this update reinforces the importance of staying on a supported branch with regular security updates. If you're on an earlier 5.3.x version, updating to 5.3.9 is strongly recommended.

For those on WordPress 5.4 or newer, you should ensure you're on the latest version of your branch which would include similar security patches.

Bug Fixes

REST API Handling

• Fixed how WordPress handles JSONP REST API requests by ensuring that only the _jsonp_wp_die_handler() is used for JSONP requests, improving security and reliability

Block Editor

• Addressed security concerns by disabling certain attributes for rich text that could potentially be exploited

New Features

No significant new features were introduced in this maintenance release. WordPress 5.3.9 focuses primarily on security improvements and bug fixes to enhance the stability and security of the platform.

Security Updates

Dependency Updates

• Updated Lodash to version 4.17.21 to address known security vulnerabilities in previous versions
• This update patches multiple security issues in the Lodash library that could potentially be exploited

REST API Security

• Improved the handling of JSONP REST API requests by ensuring proper handler usage, reducing potential attack vectors

Block Editor Security

• Disabled certain attributes for rich text in the block editor to prevent potential security exploits
• Additional package updates were applied to the Block Editor to address security concerns

Performance Improvements

Build System Improvements

• Implemented hashed/deterministic moduleIDs in webpack configuration, which helps create more consistent builds and can improve caching performance
• The optimization ensures that module IDs remain consistent between builds when the content hasn't changed, leading to better browser caching and potentially faster page loads for returning visitors

Impact Summary

WordPress 5.3.9 is primarily a security-focused maintenance release that addresses several vulnerabilities and improves the overall security posture of WordPress sites. The update to Lodash 4.17.21 patches known security issues in this widely-used dependency. Changes to REST API JSONP handling and block editor security further enhance protection against potential exploits.

The performance improvements through webpack configuration changes are subtle but beneficial, particularly for sites with frequent returning visitors who benefit from improved browser caching.

This release maintains backward compatibility and doesn't introduce any breaking changes, making it a straightforward but important update for all WordPress 5.3.x users. The security enhancements make this update particularly important for sites handling sensitive information or with high traffic volumes.