WordPress Release: 5.5.13

TL;DR

WordPress 5.5.13 is a security-focused maintenance release that addresses several important vulnerabilities. It includes fixes to prevent unauthorized access to comments, restricts media shortcode AJAX to specific types, ensures proper cache headers in the REST API, limits user search capabilities for non-administrators, and prevents potential object unserialization exploits. This release is critical for maintaining the security of WordPress 5.5.x installations.

Highlight of the Release

• Fixed security vulnerability that allowed viewing comments on posts users shouldn't have access to
• Restricted media shortcode AJAX functionality to specific types for improved security
• Added proper no-cache headers to REST API when methods are overridden
• Limited search_columns capability for users without list_users permission
• Patched potential object unserialization vulnerabilities

Migration Guide

No migration steps are required for this update. This is a straightforward security release that can be applied directly to existing WordPress 5.5.x installations without any special considerations or changes to your site configuration.

Upgrade Recommendations

Priority: Critical

All WordPress sites running version 5.5.x should upgrade to 5.5.13 immediately. This release contains important security fixes that protect your site from potential vulnerabilities.

The update process should be straightforward:

1. Back up your website files and database before updating
2. Update through the WordPress dashboard or download the update from wordpress.org
3. Verify your site functionality after the update is complete

No compatibility issues have been reported with this security release.

Bug Fixes

Security-Related Bug Fixes

• Comments Visibility: Fixed a vulnerability that allowed users to see comments on posts they didn't have permission to view
• Media Shortcode Restriction: Addressed a security issue by restricting media shortcode AJAX functionality to certain types
• REST API Cache Headers: Fixed missing no-cache headers when REST API methods are overridden
• User Search Limitations: Corrected an issue where users without proper permissions could access sensitive user data through search columns
• Object Unserialization: Patched potential vulnerabilities related to unintended behavior when certain objects are unserialized

New Features

No new features were added in this release as it focuses exclusively on security fixes and enhancements to existing functionality.

Security Updates

• Comment Privacy: Implemented proper access control checks to prevent unauthorized users from viewing comments on private or protected posts
• Media Shortcode Protection: Added type restrictions to media shortcode AJAX functionality to prevent potential security exploits
• REST API Security: Enhanced REST API security by ensuring proper no-cache headers are sent when methods are overridden
• User Data Protection: Limited search_columns functionality for users without the list_users capability to prevent unauthorized access to user information
• Unserialization Protection: Added safeguards to prevent unintended behavior and potential security issues when certain objects are unserialized

These security fixes address multiple vulnerabilities that could potentially be exploited to access unauthorized data or perform unintended actions on WordPress sites.

Performance Improvements

No specific performance improvements were included in this release. The changes were primarily focused on security enhancements and bug fixes.

Impact Summary

WordPress 5.5.13 is a critical security release that addresses multiple vulnerabilities that could potentially expose sensitive information or allow unauthorized actions on your site. The fixes include preventing unauthorized access to comments on private posts, restricting media shortcode functionality, improving REST API security with proper cache headers, limiting user search capabilities for non-administrators, and preventing potential object unserialization exploits.

This release is particularly important for sites that handle sensitive content, use the REST API extensively, or have multiple user roles with varying permissions. The security enhancements provide better protection for user data and content while maintaining compatibility with existing WordPress installations.

While this update doesn't introduce new features or performance improvements, it significantly strengthens the security posture of WordPress 5.5.x installations and should be applied promptly to all sites running this version branch.