WordPress Release: 6.3.2

TL;DR

WordPress 6.3.2 is a security and maintenance release that addresses several critical security vulnerabilities and fixes numerous bugs affecting performance, theme compatibility, and core functionality. This update includes important security patches for the REST API, application passwords, and comment visibility, along with performance improvements for page queries and block theme rendering. The release also resolves issues with block styles on Windows systems, fluid typography calculations, and plugin compatibility checks during bulk upgrades.

Highlight of the Release

• Critical security fixes for REST API, application passwords, and comment visibility
• Performance improvements for page queries and block theme rendering
• Fixed plugin compatibility checks during bulk upgrades
• Resolved issues with block styles on Windows systems
• Enhanced HTML Tag Processor to properly handle RAWTEXT elements and duplicate attributes

Migration Guide

for WordPress 6.3.2

This is primarily a security and maintenance release with no breaking changes that would require specific migration steps. However, developers should be aware of the following changes:

For Plugin Developers

If your plugin relies on the behavior of get_pages(), note that this function has been optimized to avoid redundant SQL queries. The sort ordering by post_modified_gmt or modified_gmt has been reinstated, but you should test your plugin if it heavily depends on this function.

For Theme Developers

1. Block Style Caching: The caching strategy for core block styles has changed. If your theme interacts with core block styles, test thoroughly to ensure compatibility.

2. Child Theme Asset Loading: If you develop child themes where the directory name starts with the parent theme's directory name, asset loading has been fixed. Review your theme to ensure it works correctly with this change.

3. Twenty Twenty Theme: If you've built upon the Twenty Twenty theme, note that twentytwenty_block_editor_styles() now uses the enqueue_block_assets hook instead of enqueue_block_editor_assets for WordPress 6.3 and later.

For Site Administrators

No specific migration steps are required. However, after updating to WordPress 6.3.2, it's recommended to:

1. Test your site thoroughly, especially if you use custom themes or plugins
2. Review any custom code that might interact with the HTML Tag Processor
3. Check that your plugins update correctly with the new compatibility checks

Upgrade Recommendations

Immediate upgrade is strongly recommended for all WordPress sites.

WordPress 6.3.2 contains critical security fixes that address multiple vulnerabilities in the REST API, application passwords, comment visibility, and other core components. These security issues could potentially be exploited if left unpatched.

In addition to the security improvements, this release includes important bug fixes for performance issues, theme compatibility problems, and core functionality. The update addresses issues that affect:

• Page query performance
• Block theme rendering
• Plugin compatibility checks during upgrades
• Block styles on Windows systems
• Fluid typography calculations

The upgrade process should be straightforward as this is a maintenance release with no breaking changes. As always, it's recommended to:

1. Back up your website before updating
2. Update all themes and plugins to their latest versions
3. Test your site functionality after the update

For managed WordPress hosting customers, many providers will automatically apply this security update. Check with your hosting provider if you're unsure about your update status.

Bug Fixes

Performance and Query Improvements

• Avoided redundant SQL queries in get_pages() by passing query arguments directly to the WP_Query::query() method rather than to the constructor and calling get_posts()
• Reinstated missing sort_column options in get_pages() that broke sort ordering by post_modified_gmt or modified_gmt
• Fixed stale caches for core block styles by modifying the caching strategy to store paths relative to the blocks location rather than full paths, and including the WordPress version value to ensure rebuilding when versions change
• Fixed core block style paths on Windows by normalizing the BLOCKS_PATH for Windows prior to making paths relative for caches

Theme and Editor Fixes

• Fixed loading of assets in blocks in child themes where the directory name starts with the parent theme's directory name
• Prevented fatal errors when previewing block themes by ensuring that preview callbacks attached to the stylesheet and template filters do not run before pluggable.php has been included
• Fixed fluid typography calculation to use fallback value if layout wide size is a fluid value
• Preserved block style variations when securing theme by adding the ability to process block style variations to the remove_insecure_properties function of theme JSON class
• Fixed style issues within iframed editor for Twenty Twenty theme by replacing body with html for CSS selectors and moving twentytwenty_block_editor_styles() from enqueue_block_editor_assets to enqueue_block_assets
• Added ability to trash draft patterns by adding delete_posts to capabilities for the wp_block post type

HTML API and Technical Fixes

• Improved Tag Processor to skip over contents of RAWTEXT elements such as STYLE tags
• Fixed attribute removal in Tag Processor to remove all duplicate copies of an attribute when removing
• Fixed broken sprintf() call when deleting a backup in WP_Upgrader::delete_temp_backup() that triggered a Warning in PHP 7 and a Fatal Error in PHP 8
• Added sys_get_temp_dir() to open_basedir tests to ensure permission is granted for the temporary directory in PHPUnit tests

New Features

Enhanced Plugin Compatibility Checks

WordPress 6.3.2 introduces improved plugin compatibility checks during bulk upgrades. The system now verifies that plugin packages are compatible with both the site's WordPress version and the server's PHP version before installation. This prevents incompatible updates from being installed, which could cause various compatibility issues and errors.

The new process implements two levels of checks:

• First, it checks the API response's requires and requires_php values for compatibility before downloading
• If the API check passes, it verifies the downloaded package using Plugin_Upgrader::check_package() to ensure compatibility based on the plugin's "RequiresWP" and "RequiresPHP" headers

This enhancement saves time, disk space, memory, and file operations by failing incompatible upgrades early in the process.

Security Updates

Critical Security Fixes

WordPress 6.3.2 includes several important security fixes:

• REST API Vulnerabilities

  • Limited search_columns for users without list_users capability to prevent unauthorized access to user data
  • Ensured no-cache headers are sent when methods are overridden to prevent caching of sensitive data

• Object Unserialization Protection

  • Added protection against unintended behavior when certain objects are unserialized, preventing potential object injection attacks

• Comment Visibility Controls

  • Prevented users who cannot see a post from seeing comments on that post, ensuring proper access control

• Application Password Security

  • Prevented the use of certain pseudo protocols in application passwords to block potential security bypasses

• Media Shortcode Protection

  • Restricted ajax handler for media shortcode to prevent unauthorized access

• Footnotes Display Hardening

  • Enhanced security for the display of footnotes in the editor to prevent potential XSS vulnerabilities

Performance Improvements

Query Performance Optimization

WordPress 6.3.2 includes significant performance improvements for page queries by avoiding redundant SQL operations:

• Optimized get_pages() function to avoid an additional database query by passing query arguments directly to the WP_Query::query() method rather than to the constructor and calling get_posts()
• Improved caching strategy for core block styles to avoid expensive file operations on every page load by storing paths relative to the blocks location rather than full paths

Build Tool Improvements

• Enhanced Grunt watch process to avoid doing copy:dynamic when running grunt watch with the --dev option, preventing erroneously copying a file from source onto itself
• Restored automatically retrying failed E2E tests once in GitHub Actions workflows, helping to resolve timeout issues without human intervention

Impact Summary

WordPress 6.3.2 is a significant security and maintenance release that addresses multiple critical security vulnerabilities while also fixing important bugs and performance issues.

The security improvements are substantial, with patches for REST API vulnerabilities, application password restrictions, comment visibility controls, and protection against object unserialization attacks. These fixes close potential security holes that could be exploited by malicious actors.

Performance enhancements focus on optimizing page queries by avoiding redundant SQL operations and improving the caching strategy for core block styles. These changes should result in better performance, especially for sites with many pages.

Bug fixes address a wide range of issues affecting theme compatibility, block editor functionality, and core WordPress features. Notable improvements include fixing plugin compatibility checks during bulk upgrades, resolving issues with block styles on Windows systems, and enhancing the HTML Tag Processor to properly handle RAWTEXT elements and duplicate attributes.

For developers, the release includes important fixes for the HTML API, improvements to the handling of block style variations, and better support for child themes. Content creators will benefit from fixes to the block editor experience, including the ability to trash draft patterns and improved fluid typography calculations.

Overall, this release strengthens WordPress's security posture while improving stability, performance, and compatibility across different environments and use cases. The immediate impact should be positive for all WordPress users, with no breaking changes that would disrupt existing sites.