WordPress Release: 5.9.5

TL;DR

WordPress 5.9.5 is a security and maintenance release that addresses multiple security vulnerabilities and includes important bug fixes. This update introduces strings for future security support status notifications, fixes timezone handling in tests, and includes several security enhancements across various WordPress components. The release also updates several WordPress packages to their latest versions to address bugs in the block editor and related components.

Highlight of the Release

• Multiple security enhancements across various WordPress components
• Introduction of strings for future security support status notifications
• Updated timezone handling in date/time tests for PHP 8.2 compatibility
• Bug fixes in WordPress core packages

Migration Guide

No specific migration steps are required for this update. As this is primarily a security and maintenance release, the update process should be straightforward:

1. Back up your WordPress site before updating
2. Update through the WordPress dashboard or via your preferred method
3. Test your site functionality after the update

No database schema changes or breaking changes were introduced in this release.

Upgrade Recommendations

This update is highly recommended for all WordPress 5.9.x installations due to the security fixes included.

Since WordPress 5.9.5 addresses multiple security vulnerabilities, all site administrators should update their sites as soon as possible to ensure they're protected against potential security threats.

For those on earlier versions of WordPress, consider updating to the latest version (beyond 5.9.5) to benefit from additional features and security improvements.

Bug Fixes

Timezone Handling in Tests

• Fixed timezone handling in date/time tests by replacing the deprecated Europe/Kiev timezone (deprecated in PHP 8.2) with Europe/Helsinki, ensuring tests run properly across all supported PHP versions

Various Component Fixes

• Media: Refactored search by filename within the admin
• REST API: Fixed security issues in the terms endpoint
• Customize: Improved escaping for the blogname option in underscores templates
• Query: Enhanced validation for relation in WP_Date_Query
• Users: Reverted use of shared objects for current user
• Posts/Post types: Applied KSES to post-by-email content
• General: Improved host validation on "Are you sure?" screen
• Posts/Post types: Removed emails from post-by-email logs
• Pings/trackbacks: Applied KSES to all trackbacks
• Mail: Reset PHPMailer properties between use
• Comments: Applied kses when editing comments
• Widgets: Escaped RSS error messages for display

New Features

Introduction of Security Support Status Strings

This release introduces new strings that will be used in future maintenance and security releases to indicate the security support status of WordPress versions. These strings will help users understand:

• When a version is no longer receiving security updates
• When a version will shortly stop receiving security updates

These strings have been added to make them available to translators before they're actively used in future releases.

Security Updates

Security Enhancements

This release includes multiple security fixes across various WordPress components:

• REST API: Improved security for the terms endpoint by locking down post parameters
• Customize: Enhanced escaping for the blogname option in underscores templates
• Posts/Post types: Applied KSES filtering to post-by-email content for better security
• General: Improved host validation on the "Are you sure?" screen
• Posts/Post types: Removed emails from post-by-email logs to protect user privacy
• Pings/trackbacks: Applied KSES filtering to all trackbacks
• Mail: Reset PHPMailer properties between use to prevent information leakage
• Comments: Applied kses filtering when editing comments
• Widgets: Escaped RSS error messages for display to prevent potential XSS vulnerabilities

These changes collectively enhance WordPress's security posture by improving input validation, output escaping, and data handling throughout the system.

Performance Improvements

No specific performance improvements were highlighted in this release. The focus was primarily on security enhancements and bug fixes.

Impact Summary

WordPress 5.9.5 is primarily a security-focused maintenance release that addresses multiple vulnerabilities across various WordPress components. The update strengthens WordPress's security posture by improving input validation, output escaping, and data handling throughout the system.

The release introduces strings for future security support status notifications, which will eventually help users understand when their WordPress version is approaching or has reached end-of-security-support. It also updates timezone handling in tests to maintain compatibility with PHP 8.2, where the Europe/Kiev timezone has been deprecated.

Several WordPress packages related to the block editor have been updated to fix bugs, though specific details about these fixes weren't provided in the commit messages.

Overall, this release represents an important security update that all WordPress 5.9.x site administrators should apply promptly to protect their sites from potential security threats.