WordPress Release: 5.9.10

TL;DR

WordPress 5.9.10 is a security and maintenance release that addresses critical security vulnerabilities in the block editor, specifically fixing path traversal issues on Windows systems and improving HTML tag sanitization in Template Parts. The update also includes significant improvements to the testing infrastructure, making tests more reliable across different platforms and enhancing the local development environment with Docker Compose V2 support, better Xdebug configuration, and various workflow optimizations.

Highlight of the Release

• Fixed path traversal security vulnerability in Template-Part Block on Windows systems
• Improved HTML tag sanitization for Template Parts
• Enhanced testing infrastructure with reusable workflows
• Updated Docker environment with Compose V2 support
• Improved cross-platform test reliability

Migration Guide

No migration steps are required for this update. This is a standard security and maintenance release that can be applied through the WordPress dashboard or via manual update procedures.

After updating, no configuration changes or additional steps are needed. All security fixes and improvements are applied automatically.

Upgrade Recommendations

Immediate Upgrade Recommended

This release contains critical security fixes that address vulnerabilities in the block editor, particularly for sites using Template Parts. All WordPress 5.9.x sites should be updated to version 5.9.10 as soon as possible.

If you're running an older version of WordPress (5.9.x), updating to 5.9.10 is strongly recommended for security reasons. However, if possible, upgrading to the latest major WordPress version would provide additional security improvements and features.

The update process should be smooth with no expected compatibility issues.

Bug Fixes

Security Fixes

• Fixed path traversal vulnerability in the Template-Part Block on Windows systems
• Improved HTML tag sanitization for Template Parts on save

Testing Infrastructure Fixes

• Fixed image size comparison issues in external HTTP tests by using WordPress.org CDN images
• Updated MySQL container configuration to prefer amd64 containers for better cross-platform compatibility
• Fixed SVN-related commands that were causing test failures
• Improved artifact generation and comments for Playground testing

New Features

No new features were introduced in this maintenance release. The focus was on security fixes and improvements to the development and testing infrastructure.

Security Updates

Critical Security Fixes

• Path Traversal Vulnerability: Fixed a path traversal issue in the Template-Part Block specifically affecting Windows systems. This vulnerability could potentially allow unauthorized access to files outside the intended directory structure.

• HTML Tag Sanitization: Improved sanitization of Template Part HTML tags on save, preventing potential XSS (Cross-Site Scripting) vulnerabilities.

These security fixes were backported from more recent WordPress versions to ensure 5.9.x branch users are protected.

Performance Improvements

This release doesn't include specific performance improvements for end users. The changes to the testing infrastructure may improve development workflow efficiency, but these don't directly impact site performance.

Impact Summary

WordPress 5.9.10 is primarily a security-focused maintenance release that addresses critical vulnerabilities in the Template-Part Block functionality. The most significant impact is the closure of a path traversal vulnerability on Windows systems and improved HTML tag sanitization, both of which enhance the security posture of WordPress sites.

For end users and site owners, there are no visible changes to functionality or the admin interface. The update is transparent from a user experience perspective but crucial for site security.

For developers, the release brings substantial improvements to the testing infrastructure, including Docker Compose V2 support, better Xdebug configuration, and more reliable cross-platform testing capabilities. These changes make the development environment more robust and future-proof.

This release demonstrates WordPress's commitment to maintaining security across all supported versions while also improving the developer experience through better tooling and infrastructure.