WordPress Release: 5.4.13

TL;DR

WordPress 5.4.13 is a maintenance and security release that addresses several important issues. It includes security fixes for CSRF vulnerabilities in media attachment thumbnails, improves embed code validation, enhances locale sanitization, and ensures block comments are properly validated. The release also includes improvements to GitHub Actions workflows, adds new translation strings for end-of-life updates, and refactors HTTP redirect handling tests to remove external dependencies.

Highlight of the Release

• Security fixes for CSRF vulnerabilities in media attachment thumbnails
• Improved protocol validation for WordPress embed code
• New sanitization function for locales
• Enhanced validation for block comments in the editor
• New translation strings for end-of-life updates
• Refactored HTTP redirect handling tests

Migration Guide

No specific migration steps are required for this release. As this is primarily a security and maintenance release, updating to WordPress 5.4.13 should be straightforward.

If you're using custom code that interacts with attachment thumbnails, embeds, or locale handling, you may want to review your implementation to ensure compatibility with the security improvements in this release.

Upgrade Recommendations

This release contains important security fixes, so it is strongly recommended that all WordPress 5.4.x sites be updated to version 5.4.13 as soon as possible.

For sites already on WordPress 5.4.x, this is a standard security update that should be applied immediately. The security improvements address potential vulnerabilities that could be exploited if left unpatched.

For sites on older versions of WordPress, consider upgrading to the latest supported version of WordPress for the most up-to-date security features and improvements.

Bug Fixes

Security Fixes

• Media: Fixed a CSRF vulnerability in setting attachment thumbnails
• Embeds: Added protocol validation for WordPress Embed code to prevent potential security issues
• Editor: Improved validation to ensure block comments are of a valid form

New Features

New Translation Strings for End-of-Life Updates

This release adds two additional translation strings in the changelog file (about.php), specifically designed for use when releasing the final version of WordPress on a particular branch. These strings will help communicate important end-of-life information to users in their preferred language.

New Locale Sanitization Function

A new sanitization function for locales has been introduced, improving security and data handling for internationalization features.

Security Updates

Critical Security Fixes

This release includes several important security enhancements:

• CSRF Protection for Media: Fixed a Cross-Site Request Forgery vulnerability in the media attachment thumbnails functionality
• Embed Code Validation: Added protocol validation for WordPress Embed code to prevent potential security exploits
• Locale Sanitization: Introduced a new sanitization function for locales to prevent potential injection attacks
• Block Comment Validation: Enhanced validation to ensure block comments are of a valid form, preventing potential security issues

Performance Improvements

GitHub Actions Workflow Improvements

Several updates to GitHub Actions workflows have been backported to improve build and test processes:

• Addressed deprecated notices related to save-output and set-output
• Added support for automatically retrying failed workflows once
• Removed workflow files not applicable to the branch
• Backported Docker environment related tooling updates for consistency across branches

Impact Summary

WordPress 5.4.13 is primarily a security and maintenance release that addresses several important vulnerabilities and improves the overall stability of the platform. The security fixes for CSRF in media attachments, embed code validation, locale sanitization, and block comment validation significantly enhance the security posture of WordPress sites.

The refactoring of HTTP redirect handling tests improves the development experience by removing external dependencies, making tests more reliable and faster to run. The addition of new translation strings for end-of-life updates improves the user experience for non-English speakers when a WordPress branch reaches its end of support.

GitHub Actions workflow improvements ensure that the continuous integration and deployment processes remain functional and efficient, which indirectly benefits all users through more reliable testing and release processes.

Overall, this release demonstrates WordPress's ongoing commitment to security and maintenance of older branches, ensuring that sites running on WordPress 5.4.x remain secure even as newer major versions are available.