WordPress Release: 5.9.8

TL;DR

WordPress 5.9.8 is a security and maintenance release that addresses several important vulnerabilities. This update focuses on strengthening WordPress core by implementing multiple security fixes related to REST API permissions, comment visibility, application password validation, and protection against object unserialization attacks. The release is critical for maintaining the security posture of WordPress sites and should be applied immediately to all WordPress 5.9.x installations.

Highlight of the Release

• Enhanced REST API security with improved permission handling for user searches
• Fixed comment visibility to prevent unauthorized access to comments on restricted posts
• Strengthened application password security by blocking certain pseudo protocols
• Improved media shortcode handling to prevent potential security issues
• Added protection against object unserialization vulnerabilities

Migration Guide

No specific migration steps are required for this security update. Simply update your WordPress installation to version 5.9.8 through your admin dashboard or via your preferred update method.

If you're using application passwords with custom integrations, you may want to verify that your implementation doesn't rely on any of the now-blocked pseudo protocols.

Upgrade Recommendations

Immediate Update Recommended

This is a security release that addresses multiple vulnerabilities in WordPress core. All WordPress site administrators running version 5.9.x should update immediately to version 5.9.8.

If your site is already on WordPress 6.0 or newer, you should be running the latest version of that branch instead, as these security fixes have been incorporated into those versions as well.

For sites that cannot immediately update to 5.9.8, it's strongly recommended to implement additional security measures such as a Web Application Firewall (WAF) until the update can be applied.

Bug Fixes

REST API Improvements

• Fixed an issue where users without proper permissions could access more user data than intended through the search_columns parameter
• Added no-cache headers when REST API methods are overridden to prevent potential caching issues

Comment System Fixes

• Resolved a vulnerability where users could potentially see comments on posts they don't have permission to view

Media Handling

• Restricted media shortcode AJAX functionality to specific allowed types to prevent potential abuse

New Features

No significant new features were added in this security-focused release. WordPress 5.9.8 primarily addresses security vulnerabilities and fixes bugs in the existing codebase.

Security Updates

REST API Security Enhancements

• Limited the search_columns parameter for users without the list_users capability to prevent unauthorized access to user data
• Ensured proper no-cache headers are sent when REST API methods are overridden to prevent potential information leakage

Comment System Security

• Prevented users from seeing comments on posts they don't have permission to view, closing a potential information disclosure vulnerability

Application Password Security

• Blocked the use of certain pseudo protocols in application passwords to prevent potential security bypasses

Media Security

• Restricted media shortcode AJAX functionality to certain types only, preventing potential abuse vectors

Core Security

• Added protection against unintended behavior when certain objects are unserialized, preventing potential object injection attacks

Performance Improvements

This release doesn't include specific performance improvements. The focus was primarily on security enhancements and bug fixes rather than performance optimizations.

Impact Summary

WordPress 5.9.8 is primarily a security-focused release that addresses several important vulnerabilities in the WordPress core. The security fixes span multiple areas including the REST API, comment system, application passwords, media handling, and protection against object unserialization attacks.

The most significant impact is the strengthening of WordPress's security posture, particularly around permission handling and preventing information disclosure. Site administrators should update immediately to protect their sites from potential exploitation of these vulnerabilities.

For developers, there are some changes to be aware of regarding REST API permissions, comment visibility rules, and application password restrictions. These changes are unlikely to affect most standard implementations but could require adjustments for custom code that interacts deeply with these systems.

This release continues WordPress's commitment to maintaining security for the 5.9.x branch while newer major versions (6.x) are available. The security fixes demonstrate WordPress's ongoing dedication to supporting older versions with critical security updates.