WordPress Release: 5.7.9

TL;DR

WordPress 5.7.9 is a security and maintenance release that addresses several important security vulnerabilities and includes various improvements to the testing infrastructure. This update focuses on enhancing the security posture of WordPress installations by fixing CSRF issues in media attachments, improving embed code validation, and introducing better sanitization for locales. The release also includes improvements to GitHub Actions workflows and adds new translation strings for end-of-life notifications.

Highlight of the Release

• Security fixes for CSRF vulnerability in media attachment thumbnails
• Added protocol validation for WordPress Embed code
• New sanitization function for locales
• Improved block editor comment validation
• Refactored HTTP redirect tests to remove external dependencies
• Added new translation strings for end-of-life notifications

Migration Guide

This is a security and maintenance release that doesn't require any specific migration steps. Simply update to WordPress 5.7.9 through your dashboard or by downloading the update from wordpress.org.

After updating, no additional configuration changes are needed as all security fixes and improvements are applied automatically during the update process.

Upgrade Recommendations

Immediate upgrade is strongly recommended for all WordPress 5.7.x installations due to the security fixes included in this release. The security vulnerabilities addressed could potentially be exploited on unpatched sites.

This release contains important security fixes that protect your site from potential attacks, including CSRF protection for media attachments and improved validation for embeds and locales.

The update process should be straightforward with no expected compatibility issues. As always, it's recommended to back up your site before performing any update.

Bug Fixes

• HTTP Redirect Handling: Refactored and re-enabled tests for WP_HTTP::handle_redirects() to properly validate handling of multiple location headers without relying on external dependencies.

• Block Editor Comments: Improved validation for block comments to ensure they are of a valid form, preventing potential issues with malformed comments.

• GitHub Actions Workflows: Fixed deprecated notices related to save-output and set-output to ensure workflows continue to run after these features are removed from GitHub Actions.

New Features

• End-of-Life Notification Strings: Added new translation strings in about.php for use when releasing the final version of WordPress on a particular branch, improving communication about version support lifecycle.

• Locale Sanitization Function: Introduced a new sanitization function specifically for locales, enhancing security and data validation throughout the system.

Security Updates

• Media Attachment Security: Fixed a CSRF (Cross-Site Request Forgery) vulnerability in setting attachment thumbnails, preventing potential unauthorized modifications to media files.

• WordPress Embed Code: Added protocol validation for WordPress Embed code to prevent potential security issues with malicious embed sources.

• Locale Handling: Introduced proper sanitization for locale values to prevent potential injection attacks through improperly validated locale strings.

• Block Editor Security: Improved validation of block comments to ensure they are properly formed, preventing potential security issues with malformed content.

Performance Improvements

• GitHub Actions Enhancements: Added support for automatically retrying failed workflows once, reducing manual intervention needed for transient test failures.

• Docker Environment Updates: Backported Docker environment related tooling updates for consistency across branches, improving development environment reliability.

Impact Summary

WordPress 5.7.9 is primarily a security-focused release that addresses several vulnerabilities that could affect WordPress sites. The most notable security improvements include fixing a CSRF vulnerability in media attachment handling, adding protocol validation for embeds, and introducing proper locale sanitization.

For developers, the release includes significant improvements to the testing infrastructure, particularly in GitHub Actions workflows and HTTP redirect testing. These changes make the development and testing process more reliable by removing external dependencies and addressing deprecated GitHub Actions features.

Site administrators will benefit from improved security and should update promptly to protect their sites. The addition of end-of-life notification strings also improves communication about version support, helping administrators plan for future updates.

Overall, this is an important maintenance release that strengthens WordPress's security posture while making incremental improvements to the development infrastructure.