WordPress Release: 6.1.2

TL;DR

WordPress 6.1.2 is a security and maintenance release that addresses several critical security vulnerabilities and includes important bug fixes. This update focuses on enhancing the security posture of WordPress installations by preventing CSRF attacks on attachments, validating embed protocols, improving locale sanitization, and fixing block editor security issues. The release also includes improvements to the update process and testing infrastructure.

Highlight of the Release

• Multiple security fixes including CSRF protection for attachment thumbnails
• Protocol validation for WordPress embed code
• New locale sanitization function for internationalization
• Fixed update process to prevent deletion of required theme files
• Improved compatibility with PHP 8.1.12+ for WOFF font handling

Migration Guide

No specific migration steps are required for this update. This is a security and maintenance release that should be applied as soon as possible.

When updating to WordPress 6.1.2:

1. Back up your WordPress site before updating
2. Update through the WordPress admin dashboard or via your preferred method
3. Test your site functionality after the update

No database schema changes or breaking changes were introduced in this release.

Upgrade Recommendations

Immediate upgrade strongly recommended

WordPress 6.1.2 contains several critical security fixes that protect your site from potential vulnerabilities. All WordPress site owners should update to version 6.1.2 as soon as possible.

This is a security and maintenance release that does not introduce breaking changes, making it a low-risk update with high security benefits.

Bug Fixes

Update Process Improvements

• Fixed an issue where bundled theme files were incorrectly included in $_old_files list, which could cause problems during updates if those files were required by earlier versions of themes (#56936).

Testing Infrastructure

• Refactored tests for multiple location headers in HTTP API to remove wordpress.org as an external dependency when testing WP_HTTP::handle_redirects() (#57306).
• Adjusted the expected mime type for WOFF fonts on PHP 8.1.12+ to match the updated font/woff type returned by newer versions of libmagic/file (#56817).

Code Standards

• Corrected the deprecation version for _filter_query_attachment_filenames() function (#56791).

New Features

New Internationalization Function

• Added a new sanitization function for locales to improve security and reliability of internationalization features.

End-of-Life Update Support

• Added new translation strings in about.php for use when releasing final versions of WordPress on particular branches, improving the user experience during end-of-life updates.

Security Updates

Critical Security Fixes

• Media: Added CSRF protection when setting attachment thumbnails to prevent potential cross-site request forgery attacks.

• Embeds: Implemented protocol validation for WordPress Embed code to prevent potential security issues with malicious embeds.

• Internationalization: Introduced a new sanitization function for locales to prevent potential injection attacks.

• Block Editor:

  • Ensured block comments are of a valid form to prevent potential security vulnerabilities.
  • Removed shortcode support from block templates to close potential security gaps.

These security fixes address vulnerabilities that could potentially be exploited by malicious actors. All WordPress site owners are strongly encouraged to update to version 6.1.2 immediately.

Performance Improvements

No significant performance improvements were included in this release. The focus was primarily on security enhancements and bug fixes.

Impact Summary

WordPress 6.1.2 is primarily a security-focused release that addresses several critical vulnerabilities in the WordPress core. The security fixes include protection against CSRF attacks in media handling, protocol validation for embeds, improved locale sanitization, and fixes for block editor security issues.

The release also includes important bug fixes, particularly in the update process where it prevents the deletion of potentially required theme files during updates. This change helps maintain theme compatibility across updates.

For developers, the release includes improvements to the testing infrastructure with updated GitHub Actions and better handling of HTTP redirects in tests. There's also improved compatibility with PHP 8.1.12+ regarding WOFF font mime type detection.

While this release doesn't include major new features or performance improvements, the security enhancements make it an essential update for all WordPress installations. The changes are focused on maintaining the security and stability of the WordPress platform without introducing breaking changes.