WordPress Release: 6.3.5

TL;DR

WordPress 6.3.5 is a security and maintenance release that addresses critical security vulnerabilities, including path traversal issues in the Template-Part Block on Windows systems and improves HTML attribute sanitization. This release also includes several build and testing infrastructure improvements to ensure long-term maintainability of the 6.3 branch.

Highlight of the Release

• Fixed path traversal security vulnerability in Template-Part Block on Windows systems
• Improved HTML attribute sanitization for better security
• Updated build and test infrastructure with reusable workflows
• Removed outdated Gutenberg plugin activation e2e test

Migration Guide

No migration steps are required for this security update. Site administrators should update to WordPress 6.3.5 as soon as possible to ensure their sites are protected against the security vulnerabilities addressed in this release.

Upgrade Recommendations

This is a security release that addresses several vulnerabilities. It is strongly recommended that all WordPress sites running version 6.3.x update to 6.3.5 immediately.

The update process should be straightforward:

• Back up your website before updating
• Update through your WordPress dashboard or via your preferred method
• Verify your site functionality after the update

No breaking changes are included in this release, so the update should be seamless for most users.

Bug Fixes

Security Fixes

• Fixed path traversal issue on Windows in Template-Part Block
• Improved sanitization of Template Part HTML tag on save
• Enhanced URL attribute handling to ensure proper escaping through esc_url()

New Features

No new features were added in this security and maintenance release. The focus was on addressing security vulnerabilities and improving the build and testing infrastructure.

Security Updates

Security Vulnerabilities Addressed

• Path Traversal in Template-Part Block: Fixed a vulnerability on Windows systems that could potentially allow unauthorized file access through path traversal in the Template-Part Block
• Template Part HTML Tag Sanitization: Improved sanitization of Template Part HTML tags on save to prevent potential security issues
• URL Attribute Handling: Enhanced security by ensuring URL attributes are properly run through esc_url() function

These security fixes help protect WordPress sites from potential attacks and unauthorized access.

Performance Improvements

This release doesn't include specific performance improvements for end users. The changes are primarily focused on security fixes and build/test infrastructure improvements.

Impact Summary

WordPress 6.3.5 is primarily a security release that addresses several important vulnerabilities, particularly related to the Template-Part Block on Windows systems and HTML attribute handling. These fixes are critical for maintaining the security of WordPress sites.

The release also includes several improvements to the build and testing infrastructure, which won't affect end users but will help ensure the long-term maintainability of the 6.3 branch. This includes updated GitHub workflows, Docker configuration improvements, and removal of outdated tests.

Site administrators should update to this version immediately to protect their sites from potential security threats. The update process should be straightforward with no breaking changes or migration steps required.