WordPress Release: 5.9.9

TL;DR

WordPress 5.9.9 brings important security and maintenance updates to the 5.9 branch

This maintenance release addresses two key issues: improves the handling of options serialization during installation and enhances security for ZIP file uploads with proper verification. The update is primarily focused on backporting critical fixes from newer WordPress versions to ensure continued security and stability for sites running on the 5.9 branch. These changes are particularly important for sites that handle file uploads and for new WordPress installations.

Highlight of the Release

• Enhanced security for ZIP file uploads with proper verification
• Improved options handling during WordPress installation
• Official support for PHP 8.1 in the 5.9 branch
• Backported critical fixes from newer WordPress versions

Migration Guide

No specific migration steps are required for this maintenance release. WordPress 5.9.9 is a backward-compatible update that can be applied directly to sites running WordPress 5.9.8 or earlier in the 5.9 branch.

As with any WordPress update, it's recommended to:

1. Back up your website before updating
2. Test the update in a staging environment if possible
3. Update all themes and plugins to their latest compatible versions
4. Check your site functionality after the update

Upgrade Recommendations

This update is highly recommended for all sites running WordPress 5.9.x due to the security enhancements for ZIP file uploads.

However, if you're running an older version of WordPress 5.9, it's strongly recommended to update directly to 5.9.9 to ensure you have all security fixes and improvements.

For optimal security and features, consider upgrading to the latest major WordPress version if your site's themes and plugins are compatible.

Bug Fixes

• Installation Process: Fixed an issue with options handling during installation. WordPress now uses maybe_serialize() instead of always using serialize() when populating options, ensuring proper data handling.

• Build/Test Tools: Changed the default value of LOCAL_PHP from latest to 8.1-fpm to reflect the highest supported PHP version for this branch. This prevents failures when the latest container is updated in the wpdev-docker-images repository.

• E2E Test Workflow: Pinned the PHP version used in E2E tests to PHP 8.0 to avoid deprecated notices related to issue #54914 (which was fixed in WordPress 6.1).

• File Formatting: Ensured proper newline at the end of files for consistent formatting.

New Features

No significant new features were added in this maintenance release. WordPress 5.9.9 focuses on security enhancements and bug fixes rather than introducing new functionality.

Security Updates

Security Enhancements

• ZIP Archive Verification: Added improved checks for ZIP archives during the upload process. This enhancement helps prevent potential security vulnerabilities by properly verifying ZIP files before they are processed by WordPress.

This security improvement is particularly important for sites that allow file uploads, as it helps protect against potentially malicious ZIP files.

Performance Improvements

No specific performance improvements were included in this maintenance release. The changes focus primarily on security enhancements and bug fixes.

Impact Summary

WordPress 5.9.9 is a targeted maintenance and security release that addresses specific issues without introducing major changes to functionality. The primary impacts are:

1. Enhanced Security: Improved verification of ZIP archives during uploads helps protect sites from potential security vulnerabilities.

2. More Reliable Installation: The fix for options serialization during installation ensures more consistent behavior when setting up new WordPress sites.

3. PHP Compatibility: Official support for PHP 8.1 in the 5.9 branch provides clarity for developers and hosts about compatible PHP versions.

This release demonstrates WordPress's commitment to maintaining security and stability for older branches while users prepare to upgrade to newer major versions. The changes are focused and minimal, designed to address specific issues without disrupting existing functionality.