WordPress Release: 5.9.6

TL;DR

WordPress 5.9.6 is a security and maintenance release that addresses several important issues. It adds object-fit to the allowed CSS properties list, fixes a bug in Featured Image blocks, improves HTTP API handling, adds end-of-life update strings, updates test compatibility with PHP 8.1.12+, and includes multiple security fixes. This release is recommended for all WordPress 5.9 users to maintain site security and stability.

Highlight of the Release

• Security fixes addressing CSRF in attachment thumbnails, WordPress embed code validation, and block template security
• Fixed Featured Image blocks by adding object-fit to allowed CSS properties
• Improved HTTP API handling for multiple location headers
• Added new strings for end-of-life updates
• Updated test compatibility with PHP 8.1.12+

Migration Guide

This maintenance and security release does not require any specific migration steps. Simply update to WordPress 5.9.6 through your dashboard or by downloading the update from wordpress.org.

After updating, test your site's functionality, especially if you're using:

• Featured Image blocks
• Custom themes with block templates
• Custom code that interacts with the WordPress HTTP API
• Sites running on PHP 8.1.12 or newer

Plugin and theme developers should review the security fixes, particularly those related to media attachments, embeds, and block templates, to ensure their code follows best practices.

Upgrade Recommendations

Immediate upgrade is strongly recommended for all sites running WordPress 5.9.x.

This release contains important security fixes that protect your site from potential vulnerabilities. The maintenance improvements also enhance stability and compatibility with newer PHP versions.

WordPress 5.9.6 is compatible with existing plugins and themes that work with WordPress 5.9. As this is primarily a security and maintenance release, it should not cause compatibility issues with properly coded plugins and themes.

If you're running an older version of WordPress 5.9, updating to 5.9.6 is essential for maintaining site security. If you're on an earlier major version of WordPress, consider updating to the latest version (beyond 5.9.6) for access to all security fixes and new features.

Bug Fixes

• Media: Added object-fit to the allowed list of CSS properties, resolving a bug in Featured Image blocks where this property was being incorrectly removed during the render_callback.

• HTTP API: Refactored test for multiple location headers, removing wordpress.org as an external dependency when testing WP_HTTP::handle_redirects(). This improves test reliability and independence.

• Tests: Adjusted the expected mime type for WOFF fonts on PHP 8.1.12+. Due to updates in PHP's libmagic/file to version 5.42, the expected mime type for WOFF files changed to font/woff, requiring corresponding adjustments in wp_check_filetype_and_ext() tests.

• Security: Fixed multiple security issues:

  • Prevented CSRF vulnerability when setting attachment thumbnails
  • Added protocol validation for WordPress Embed code
  • Ensured block comments are of a valid form
  • Removed shortcode support from block templates

New Features

• End-of-Life Update Notifications: Added new translation strings in about.php for use when releasing the final version of WordPress on a particular branch, improving user awareness of version support status.

• Locale Sanitization: Introduced a new sanitization function for locales to enhance security and prevent potential issues with invalid locale strings.

Security Updates

• Media: Implemented protection against CSRF (Cross-Site Request Forgery) vulnerabilities when setting attachment thumbnails, ensuring that only authorized users can modify media attachments.

• Embeds: Added protocol validation for WordPress Embed code to prevent potential security issues with malicious embed URLs.

• Internationalization: Introduced a sanitization function for locale strings to prevent potential security issues with manipulated locale values.

• Editor: Enhanced security by ensuring block comments are of a valid form and removing shortcode support from block templates, which could potentially be exploited.

Performance Improvements

• Build/Test Tools: Backported several updates to GitHub Actions workflows, improving CI/CD pipeline reliability and performance. These updates address deprecated notices related to save-output and set-output, add support for automatically retrying failed workflows, and remove workflow files not applicable to the branch.

Impact Summary

WordPress 5.9.6 is an important security and maintenance release that addresses several vulnerabilities and bugs. The security fixes protect against CSRF attacks on media attachments, validate WordPress embed protocols, sanitize locale strings, and enhance block editor security. These improvements significantly reduce potential attack vectors for WordPress sites.

The bug fixes resolve issues with Featured Image blocks by allowing the object-fit CSS property, improve HTTP API handling, and update test compatibility with newer PHP versions. These changes enhance stability and ensure proper functionality across different environments.

For site administrators, this update is crucial for maintaining security. Content creators will benefit from fixed Featured Image blocks, while developers will appreciate the improved HTTP API handling and test tools. The addition of end-of-life update strings also improves communication about version support status.

Overall, this release demonstrates WordPress's commitment to security, stability, and compatibility, making it an essential update for all WordPress 5.9 users.