WordPress Release: 6.4.3

TL;DR

WordPress 6.4.3 is a security and maintenance release that addresses several important issues. It fixes security vulnerabilities in ZIP file handling, improves login error message display, resolves theme compatibility issues with PHP functions, and includes multiple editor enhancements. This release also fixes issues with attachment page redirects for logged-out users and ensures proper emoji style handling in embeds. The update is recommended for all WordPress 6.4.x installations.

Highlight of the Release

• Security fix for ZIP file handling and validation
• Fixed login error message display issues
• Resolved theme compatibility issues with PHP functions
• Multiple editor enhancements for blocks, patterns, and accessibility
• Fixed attachment page redirects for logged-out users

Migration Guide

No specific migration steps are required for this maintenance release. WordPress 6.4.3 is a standard update that can be applied through the WordPress dashboard or via manual update methods.

For developers who have been using the latest Node.js versions, note that the minimum required version has been updated to Node.js 20.10.0 and npm 10.2.3 for development environments.

Upgrade Recommendations

This release includes important security fixes and is therefore strongly recommended for all WordPress sites running version 6.4.x.

WordPress 6.4.3 is a security and maintenance release, addressing vulnerabilities and fixing several bugs. The security team has identified issues with ZIP file handling that have been addressed in this release.

You can update to WordPress 6.4.3 via your dashboard or by downloading the release from WordPress.org. If you have sites that support automatic background updates, they've already started updating automatically.

Bug Fixes

Login and Registration

• Fixed display of error messages when using the wp_login_errors filter, ensuring proper display of both error and instructional messages

Theme Compatibility

• Reverted usage of str_contains() in Twenty Seventeen, Twenty Twenty, and Twenty Twenty-One themes to maintain compatibility with older WordPress versions
• Added missing textdomain in Twenty Twenty-Four pattern category description

Media Handling

• Fixed redirection for inactive attachment pages for logged-out users, ensuring proper security while maintaining functionality
• Ensured proper usage of wp_enqueue_emoji_styles() instead of the deprecated print_emoji_styles() function in embeds

Installation

• Fixed serialization during installation by using maybe_serialize() instead of always serializing options

New Features

Editor Improvements

• Fixed block rename control appearing in "Advanced" panel for unsupported blocks
• Improved Query Loop block with accessibility markup and removed unnecessary classes
• Fixed duotone controls not showing in site editor style block level styles
• Enhanced background image support with proper reset button behavior
• Fixed focus loss when resetting background image
• Improved autocomplete functionality for better VoiceOver announcement of suggestions
• Fixed pattern category renaming that could cause duplicate categories
• Improved pattern JSON downloads to handle non-ASCII encoding
• Added context for translators for clearer understanding of "synced" terminology
• Fixed image block migration with lightbox values
• Improved image block selection when clicked
• Reduced specificity of default Cover text color styles
• Fixed image block deprecation when width/height attribute is a number
• Limited text selection CSS hack to Safari only
• Enhanced SlotFill to allow contextual SlotFillProviders

Security Updates

Security Enhancements

• Added improved checks for and verification of ZIP archives during upload to prevent potential security vulnerabilities
• Fixed attachment page handling for logged-out users to prevent potential data leaks where revealing a URL could expose sensitive information

Performance Improvements

No significant performance improvements were specifically mentioned in this maintenance release. The focus was primarily on security fixes, bug fixes, and compatibility improvements.

Impact Summary

WordPress 6.4.3 is primarily a security and maintenance release that addresses several important issues across the platform. The most significant impact comes from the security fixes related to ZIP file handling and validation, which protect sites from potential vulnerabilities.

The release also resolves several user experience issues, particularly in the block editor, improving functionality for content creators. Theme compatibility has been enhanced by removing usage of PHP 8.0+ functions (str_contains()) from bundled themes, ensuring they work properly on sites using older PHP versions.

For developers, the update to Node.js requirements (minimum 20.10.0) may require adjustments to development environments, though this doesn't affect end users.

The fix for attachment page redirects for logged-out users addresses both a security concern and a functional issue, ensuring proper behavior while preventing potential data leaks.

Overall, this release maintains WordPress's commitment to security and stability while addressing specific issues reported by the community since the 6.4.2 release.