WordPress Release: 6.0.2

TL;DR

WordPress 6.0.2 is a security and maintenance release that addresses several important bugs and security vulnerabilities. This update includes fixes for template handling in the block editor, improvements to theme pattern registration, security patches for output escaping, and updates to external libraries. The release enhances stability for theme developers working with block patterns and fixes issues with template management in the site editor.

Highlight of the Release

• Security improvements with proper output escaping in the_meta(), bookmark queries, and plugin error messages
• Fixed theme pattern registration to allow remote patterns even when core patterns are disabled
• Resolved duplicate templates issue in the Templates and Template Parts screens
• Updated Moment library to version 2.29.4
• Fixed PHP compatibility issue with get_block_templates() function

Migration Guide

Deprecated Function: the_meta()

The the_meta() function has been deprecated in favor of get_post_meta(). If your code currently uses the_meta() to display post meta data, you should update it to use get_post_meta() instead, making sure to properly escape the output.

Before:

the_meta();

After:

$post_meta = get_post_meta( get_the_ID() );
if ( $post_meta ) {
    echo '<ul class="post-meta">';
    foreach ( $post_meta as $key => $value ) {
        if ( is_protected_meta( $key, 'post' ) ) {
            continue;
        }
        echo '<li><span class="post-meta-key">' . esc_html( $key ) . '</span> ' . esc_html( implode( ', ', $value ) ) . '</li>';
    }
    echo '</ul>';
}

Theme Pattern Registration

If you're a theme developer who has been disabling core patterns but wants to use specific patterns from the Pattern Directory, you can now do so by:

1. Disabling core patterns with remove_theme_support('core-block-patterns')
2. Registering specific patterns in your theme.json file:

{
  "version": 2,
  "patterns": [
    "pattern-directory-slug/pattern-name"
  ]
}

No additional code changes are needed to make this work in WordPress 6.0.2.

Upgrade Recommendations

This release contains important security fixes and bug fixes. All WordPress sites should be updated to 6.0.2 as soon as possible.

The security improvements in this release address potential vulnerabilities related to output escaping in various WordPress functions. Additionally, the bug fixes resolve issues that could affect site functionality, particularly for sites using the block editor and template management features.

How to Update

You can update to WordPress 6.0.2 through your Dashboard by navigating to Dashboard → Updates and clicking "Update Now," or you can download the release directly from WordPress.org.

As always, it's recommended to back up your site before performing any update.

Bug Fixes

Template Management Fixes

• Fixed an issue in get_block_templates() that caused customized templates to be listed multiple times on the Templates and Template Parts screens. The function was using array_column() on an object array, which worked on PHP 7+ but not on PHP 5.6. This has been resolved by replacing it with wp_list_pluck() for consistent behavior across PHP versions.

Block Registration Improvements

• Fixed a bug where register_block_type did not recognize the ancestor block setting when registering blocks through PHP, although it worked correctly when blocks were registered via JavaScript.

UI and Visual Improvements

• Improved vertical alignment in the Additional Design Tools section of the Help/About page by making a transparent circle SVG smaller to match the height of other images, ensuring all three columns are properly aligned.

Documentation Corrections

• Corrected @since tags introduced in WordPress 6.0.1. The associated changes were backported to the 6.0 branch, so the version should be 6.0.1 instead of 6.1.0. This affects:
  • @since tag for the block-templates feature in create_initial_theme_features()
  • @since tag for the show_on_front, page_on_front, and page_for_posts options on the REST API settings endpoint

Build/Test Tools

• Added tag pattern matching for the testing NPM workflow that was missed in previous updates.

New Features

Enhanced Theme Pattern Registration

Theme developers can now register remote patterns from the Pattern Directory via theme.json even when core patterns are disabled. This improvement allows theme authors to disable all core and remote patterns by default using remove_theme_support('core-block-patterns') while still selectively registering specific patterns from the Pattern Directory. This makes the Pattern Directory more appealing and usable from a theme author's perspective, giving them greater control over which patterns are available to their users.

Security Updates

Output Escaping Improvements

WordPress 6.0.2 includes several important security fixes related to proper output escaping:

1. Post Meta Output: Improved security in the_meta() by escaping output and converting markup to entities when displaying on the front end. The function has been deprecated in favor of get_post_meta() for better security practices.

2. Bookmark Query Limits: Added validation to ensure bookmark query limits are numeric, preventing potential security issues.

3. Plugin Error Messages: Enhanced security by properly escaping output in plugin error messages to prevent potential XSS vulnerabilities.

External Library Update

Updated the Moment library to version 2.29.4, which includes security fixes. This is a minor bug fix release that addresses potential security vulnerabilities in the library.

Performance Improvements

Editor Performance

The WordPress 6.0.2 release includes backported bug fixes from Gutenberg that improve the overall performance and stability of the block editor. These updates affect multiple Gutenberg packages including block-editor, block-library, customize-widgets, edit-post, edit-site, edit-widgets, editor, format-library, reusable-blocks, and widgets.

Template Handling Optimization

The fix for get_block_templates() not only resolves the duplicate templates issue but also optimizes the template handling process, resulting in more efficient template management in the site editor.

Impact Summary

WordPress 6.0.2 is primarily a security and maintenance release that addresses several important issues:

1. Security Enhancements: The release includes critical security fixes related to output escaping in various WordPress functions, including the_meta(), bookmark queries, and plugin error messages. These changes help protect sites from potential XSS vulnerabilities.

2. Theme Development Improvements: Theme developers now have more flexibility with pattern registration, allowing them to disable core patterns while still selectively using patterns from the Pattern Directory via theme.json.

3. Editor Stability: The update includes backported bug fixes from Gutenberg that improve the stability and functionality of the block editor, particularly for template management.

4. PHP Compatibility: Fixed an issue with get_block_templates() that affected sites running on PHP 5.6, ensuring consistent behavior across different PHP versions.

5. External Library Updates: Updated the Moment library to version 2.29.4 to address security vulnerabilities and improve stability.

These changes collectively improve the security, stability, and usability of WordPress, particularly for sites utilizing the block editor and theme developers working with block patterns.