WordPress Release: 6.0.4

TL;DR

WordPress 6.0.4 is a security and maintenance release that addresses several important security vulnerabilities and includes bug fixes. This release adds object-fit to the allowed CSS properties list, fixes CSRF issues with attachment thumbnails, improves embed security, and enhances block editor safety. It also includes various test improvements and GitHub Actions workflow updates to ensure better compatibility with modern environments.

Highlight of the Release

• Security fixes for CSRF vulnerabilities in attachment thumbnails
• Added object-fit to allowed CSS properties, fixing Featured Image block rendering
• Protocol validation for WordPress embed code
• New locale sanitization function for improved internationalization
• Enhanced block editor security with better comment handling and template processing

Migration Guide

WordPress 6.0.4 is a security and maintenance release that doesn't introduce breaking changes. Upgrading should be straightforward:

1. Backup your website before updating (database and files)
2. Update through your WordPress dashboard or via your preferred method
3. Test your website functionality after update, particularly:
   • Featured image display in themes using the Featured Image block
   • Any custom code that relies on attachment handling
   • Embeds and internationalization features if you use them extensively

If you're a developer who has built custom code that:

• Filters allowed CSS properties
• Works with attachment thumbnails
• Processes block templates with shortcodes
• Uses the WordPress HTTP API for redirect handling

You should review your code to ensure compatibility with the security improvements in this release.

Upgrade Recommendations

Immediate upgrade is strongly recommended for all WordPress 6.0.x installations due to the security fixes included in this release.

WordPress 6.0.4 addresses several security vulnerabilities that could potentially be exploited on unpatched sites. The release also includes important bug fixes and compatibility improvements that enhance the stability and security of your WordPress installation.

For users who are on older versions of WordPress (pre-6.0), consider upgrading to the latest major version of WordPress for access to all new features and security improvements. However, if you must remain on the 6.0 branch, updating to 6.0.4 is essential for security.

Bug Fixes

• Media Handling: Fixed a bug in Featured Image blocks where the object-fit CSS property was being incorrectly removed during the render_callback.
• Coding Standards: Corrected the deprecation version for _filter_query_attachment_filenames() function.
• MIME Type Detection: Adjusted the expected MIME type for WOFF fonts on PHP 8.1.12+, ensuring proper font file handling with newer PHP versions.
• Block Editor:
  • Ensured block comments are of a valid form to prevent potential issues.
  • Removed shortcode support from block templates for better security and reliability.

New Features

• Internationalization Improvements: Added new strings to about.php for use with end-of-life updates, enhancing the user experience when a WordPress branch reaches its final version.
• Locale Sanitization: Introduced a new sanitization function for locales to improve security and reliability of internationalization features.
• CSS Property Allowlist Enhancement: Added object-fit to the allowed list of CSS properties, enabling proper styling for Featured Image blocks.

Security Updates

• Media Security: Prevented CSRF (Cross-Site Request Forgery) vulnerabilities when setting attachment thumbnails.
• Embed Security: Added protocol validation for WordPress Embed code to prevent potential security issues.
• Block Editor Security:
  • Enhanced validation to ensure block comments are of a valid form.
  • Removed shortcode support from block templates to prevent potential security vulnerabilities.
• Internationalization Security: Introduced a new sanitization function for locales to prevent potential injection attacks.

Performance Improvements

• HTTP API Testing: Refactored tests for multiple location headers to remove wordpress.org as an external dependency when testing WP_HTTP::handle_redirects(). This improves test reliability and speed by eliminating external network requests.
• GitHub Actions Workflows: Multiple updates to GitHub Actions workflows to improve CI/CD performance, including:
  • Added support for automatically retrying failed workflows once
  • Updated Docker environment related tooling for better consistency
  • Updated several GitHub Actions to their latest versions for improved performance

Impact Summary

WordPress 6.0.4 is primarily a security and maintenance release that addresses several important vulnerabilities and bugs. The security fixes protect against CSRF attacks in media handling, improve embed security through protocol validation, and enhance block editor safety.

For content creators, the addition of object-fit to allowed CSS properties resolves rendering issues with Featured Image blocks, improving the visual presentation of content. The security improvements around attachment thumbnails also provide better protection when working with media files.

For developers, the release includes several improvements to GitHub Actions workflows and testing infrastructure, making development and CI/CD processes more reliable. The introduction of a locale sanitization function enhances internationalization security.

System administrators will benefit from improved compatibility with PHP 8.1.12+ for font handling and the various security enhancements that protect WordPress installations from potential attacks.

Overall, this release strengthens WordPress 6.0's security posture and fixes specific bugs without introducing breaking changes, making it an important but straightforward update for all WordPress 6.0.x users.