WordPress Release: 5.8.7

TL;DR

WordPress 5.8.7 is a security and maintenance release that addresses several important security vulnerabilities and includes various improvements to testing infrastructure. This update focuses on enhancing WordPress's security posture by fixing CSRF issues with media attachments, improving embed protocol validation, adding locale sanitization, and ensuring block comments are properly validated. The release also includes improvements to GitHub Actions workflows and adds new translation strings for end-of-life notifications.

Highlight of the Release

• Multiple security fixes including CSRF protection for media attachments
• Improved protocol validation for WordPress embed code
• New locale sanitization function for better internationalization security
• Enhanced validation for block editor comments
• Refactored HTTP API tests to remove external dependencies
• Updated GitHub Actions workflows for better CI/CD processes

Migration Guide

No specific migration steps are required for this update. This is a maintenance and security release that should be applied to all WordPress 5.8.x installations.

As with any WordPress update, it's recommended to:

1. Back up your website before updating
2. Update all plugins and themes to their latest versions
3. Test the update on a staging environment if possible
4. Apply the update during a low-traffic period

Upgrade Recommendations

Immediate Upgrade Recommended

This release contains several important security fixes that protect WordPress sites from potential vulnerabilities. All WordPress users running version 5.8.x are strongly encouraged to update to 5.8.7 immediately.

If you're running an older version of WordPress, consider updating to the latest version (beyond 5.8.7) to benefit from additional features and security improvements.

Bug Fixes

HTTP API Test Improvements

The test for handling multiple location headers in WP_HTTP::handle_redirects() has been refactored to no longer depend on wordpress.org as an external dependency. The test now calls the method directly with a mocked array of HTTP headers, making it more reliable and faster to execute. This test has been moved from the external-http group to the http test group as it no longer makes an HTTP request.

New Features

New Translation Strings for End-of-Life Notifications

New translation strings have been added to about.php for use when releasing the final version of WordPress on a particular branch. These strings will help communicate important end-of-life information to users in their preferred language.

Improved Locale Sanitization

A new sanitization function for locales has been introduced to enhance security and ensure proper handling of internationalization features.

Security Updates

Critical Security Fixes

This release includes several important security fixes:

• Media: Fixed a CSRF vulnerability when setting attachment thumbnails
• Embeds: Added protocol validation for WordPress Embed code to prevent potential security issues
• Editor: Implemented validation to ensure block comments are of a valid form
• I18N: Introduced a sanitization function for locales to prevent potential injection attacks

These security improvements help protect WordPress sites from various vulnerabilities and should be applied immediately.

Performance Improvements

GitHub Actions Workflow Optimizations

Several improvements to GitHub Actions workflows have been backported to enhance CI/CD performance:

• Added support for automatically retrying failed workflows once, reducing manual intervention
• Addressed deprecated notices related to save-output and set-output to ensure workflows continue to run
• Removed workflow files not applicable to the branch
• Backported Docker environment related tooling updates for consistency across branches

Impact Summary

WordPress 5.8.7 is primarily a security-focused release that addresses several vulnerabilities while also improving the development and testing infrastructure. The security fixes protect against CSRF attacks in media handling, improve embed protocol validation, enhance locale sanitization, and ensure proper validation of block comments.

For site administrators and content creators, this update provides important protection against potential security threats without changing the user experience. Developers will benefit from improved testing tools, particularly the refactored HTTP API tests and updated GitHub Actions workflows.

The addition of new translation strings for end-of-life notifications improves communication for international WordPress users. Overall, this maintenance release strengthens WordPress's security posture while maintaining compatibility with existing sites and plugins.