Author: Jonathan Desrosiers

WordPress 6.2.2 Security Release

Jonathan Desrosiers

WordPress 6.2.2 is now available!

The 6.2.2 minor release addresses 1 bug and 1 security issue. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.9 have also been updated.

WordPress 6.2.2 is a rapid response release to address a regression in 6.2.1 and further patch a vulnerability addressed in 6.2.1. The next major release will be version 6.3 planned for August 2023.

The update process will begin automatically if you have sites that support automatic background updates.

You can download WordPress 6.2.2 from WordPress.org or visit your WordPress Dashboard, click “Updates,” and click “Update Now.”

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities and allowing them to be fixed in this release. 

  • Block themes parsing shortcodes in user-generated data; thanks to Liam Gladdy of WP Engine for reporting this issue.

The issue above was originally patched in the 6.2.1 release, but needed further hardening here in 6.2.2. The Core team is thankful for the community in their response to 6.2.1 and collaboration on finding the best path forward for proper resolution in 6.2.2. The folks who worked on 6.2.2 are especially appreciative for everyone’s understanding while they worked asynchronously to get this out the door as quickly as possible.

Thank you to these WordPress contributors

This release was led by Jonathan Desrosiers.

WordPress 6.2.2 would not have been possible without the contributions of the following people. Their asynchronous coordination to deliver security fixes into a stable release is a testament to the power and capability of the WordPress community.

Aaron Jorbin, Alex Concha, Anthony Burchell, Chloe Bringmann, chriscct7, Daniel Richards, David Baumwald, Ehtisham S., Greg Ziółkowski, Isabel Brison, Jb Audras, Jeffrey Paul, John Blackbourn, Jonathan Desrosiers, Josepha, Marius L. J., Matias Ventura, Mike Schroder, Peter Wilson, Riad Benguella, Robert Anderson, Ryan McCue, Samuel Wood (Otto), Scott Reilly, and Timothy Jacobs

How to contribute

To get involved in WordPress core development, head over to Trac, pick a ticket, and join the conversation in the #core and #6-3-release-leads channels. Need help? Check out the Core Contributor Handbook.

Thanks to @cbringmann, @davidbaumwald, @chanthaboune, @jeffpaul for proofreading.

WordPress 5.8.3 Security Release

Jonathan Desrosiers

This security release features four security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.8.3 is a short-cycle security release. The next major release will be version 5.9, which is already in the Release Candidate stage.

You can update to WordPress 5.8.3 by downloading from WordPress.org or visiting your Dashboard → Updates and clicking Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

Four security issues affect WordPress versions between 3.7 and 5.8. If you haven’t yet updated to 5.8, all WordPress versions since 3.7 have also been updated to fix the following security issue (except where noted otherwise):

  • Props to Karim El Ouerghemmi and Simon Scannell of SonarSource for disclosing an issue with stored XSS through post slugs.
  • Props to Simon Scannell of SonarSource for reporting an issue with Object injection in some multisite installations.
  • Props to ngocnb and khuyenn from GiaoHangTietKiem JSC for working with Trend Micro Zero Day Initiative on reporting a SQL injection vulnerability in WP_Query.
  • Props to Ben Bidner from the WordPress security team for reporting a SQL injection vulnerability in WP_Meta_Query (only relevant to versions 4.1-5.8).

Thank you to all of the reporters above for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked. Thank you to the members of the WordPress security team for implementing these fixes in WordPress.

For more information, check out the 5.8.3 HelpHub documentation page.

Thanks and props!

The 5.8.3 release was led by @desrosj and @circlecube.

In addition to the security researchers and release squad members mentioned above, thank you to everyone who helped make WordPress 5.8.3 happen:

Alex Concha, Dion Hulse, Dominik Schilling, ehtis, Evan Mullins, Jake Spurlock, Jb Audras, Jonathan Desrosiers, Ian Dunn, Peter Wilson, Sergey Biryukov, vortfu, and zieladam.

WordPress 5.8.2 Security and Maintenance Release

Jonathan Desrosiers

WordPress 5.8.2 is now available!

This security and maintenance release features 2 bug fixes in addition to 1 security fix. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.2 have also been updated.

WordPress 5.8.2 is a small focus security and maintenance release. The next major release will be version 5.9.

You can download WordPress 5.8.2 by downloading from WordPress.org, or visit your Dashboard → Updates and click Update Now. If you have sites that support automatic background updates, they’ve already started the update process.

For more information, browse the full list of changes on Trac, or check out the version 5.8.2 HelpHub documentation page.

Thanks and props!

The 5.8.2 release was led by Jonathan Desrosiers and Evan Mullins.

In addition to the release squad members mentioned above, thank you to everyone who helped make WordPress 5.8.2 happen:

Ari Stathopoulos, Bradley Taylor, davidwebca, Evan Mullins, Greg Ziółkowski, Jonathan Desrosiers, Juliette Reinders Folmer, Mukesh Panchal, Sergey Biryukov, shimon246, and Yui.

Props @circlecube and @pbiron for peer review.

WordPress 5.8.1 Security and Maintenance Release

Jonathan Desrosiers

WordPress 5.8.1 is now available!

This security and maintenance release features 60 bug fixes in addition to 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.4 have also been updated.

WordPress 5.8.1 is a short-cycle security and maintenance release. The next major release will be version 5.9.

You can download WordPress 5.8.1 by downloading from WordPress.org, or visit your Dashboard → Updates and click Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

3 security issues affect WordPress versions between 5.4 and 5.8. If you haven’t yet updated to 5.8, all WordPress versions since 5.4 have also been updated to fix the following security issues:

  • Props @mdawaffe, member of the WordPress Security Team for their work fixing a data exposure vulnerability within the REST API.
  • Props to Michał Bentkowski of Securitum for reporting a XSS vulnerability in the block editor.
  • The Lodash library has been updated to version 4.17.21 in each branch to incorporate upstream security fixes.

In addition to these issues, the security team would like to thank the following people for reporting vulnerabilities during the WordPress 5.8 beta testing period, allowing them to be fixed prior to release:

  • Props Evan Ricafort for reporting a XSS vulnerability in the block editor discovered during the 5.8 release’s beta period.
  • Props Steve Henty for reporting a privilege escalation issue in the block editor.

Thank you to all of the reporters for privately disclosing the vulnerabilities. This gave the WordPress security team time to fix the vulnerabilities before WordPress sites could be attacked.

For more information, browse the full list of changes on Trac, or check out the version 5.8.1 HelpHub documentation page.

Thanks and props!

The 5.8.1 release was led by Jonathan Desrosiers and Evan Mullins.

In addition to the security researchers and release squad members mentioned above, thank you to everyone who helped make WordPress 5.8.1 happen:

2linctools, Adam Zielinski, Alain Schlesser, Alex Lende, alexstine, AlGala, André, Andrei Draganescu, Andrew Ozz, Ankit Panchal, Anthony Burchell, Anton Vlasenko, Ari Stathopoulos, Bruno Ribaric, Carolina Nymark, Daisy Olsen, Daniel Richards, Daria, David Anderson, David Biňovec, David Herrera, Dominik Schilling, Ella van Durpe, Enchiridion, Evan Mullins, Gary Jones, George Mamadashvili, Greg Ziółkowski, Héctor Prieto, ianmjones, Jb Audras, Jeff Bowen, Joe Dolson, Joen A., John Blackbourn, Jonathan Desrosiers, JuanMa Garrido, Juliette Reinders Folmer, Kai Hao, Kapil Paul, Kerry Liu, Kevin Fodness, Marcus Kazmierczak, Mark-k, Matt, Michael Adams (mdawaffe), Mike Schroder, moch11, Mukesh Panchal, Nik Tsekouras, Paal Joachim Romdahl, Pascal Birchler, Paul Bearne, Paul Biron, Peter Wilson, Petter Walbø Johnsgård, Radixweb, Rahul Mehta, ramonopoly, ravipatel, Riad Benguella, Robert Anderson, Rodrigo Arias, Sanket Chodavadiya, Sergey Biryukov, Stephen Bernhardt, Stephen Edgar, Steve Henty, terraling, Timothy Jacobs, tmatsuur, TobiasBg, Tonya Mork, Toro_Unit (Hiroshi Urabe), Vlad T, wb1234, and WFMattR.

WordPress 5.8 Beta 2

Jonathan Desrosiers

WordPress 5.8 Beta 2 is now available for testing!

This software is still in development, so it’s not recommended to run this version on a production site. Consider setting up a test site to play with it.

You can test the WordPress 5.8 Beta 2 in two ways:

  • Install/activate the WordPress Beta Tester plugin (select the Bleeding edge channel and the Beta/RC Only stream)
  • Direct download the beta version here (zip).

The current target for the final release is July 20, 2021. That’s just five weeks away, so your help is vital to ensure that the final release is as good as it can be.

Some Highlights

Since Beta 1, 26 bugs have been fixed. Here is a summary of some of the included changes:

  • Block Editor: Remove bundled block patterns and support the patterns directory. (#53246)
  • Block Editor: Add a type property to allow Core to identify the source of the editor styles. (#53175)
  • Build/Test Tools: Adds some tests for Quick Draft section in Dashboard. (#52905)
  • Build/Test Tools: Replaced @babel/polyfill with core-js/stable. (#52941)
  • Coding Standards: Further update the code for bulk menu items deletion to better follow WordPress coding standards. (#21603)
  • External Libraries: Update Underscore to version 1.13.1. (#45785)
  • General: A number of block editor, template mode and widget screen related fixes. (#51149)
  • Login and Registration: Improve the unknown username error message. (#52915)
  • Media: Restore AJAX response data shape in media library. (#50105)
  • Site Health: Display a list of file formats supported by the GD library. (#53022)
  • Twemoji: It’s the new one! (#52852)

How You Can Help

Watch the Make WordPress Core blog for 5.8-related developer notes in the coming weeks, which will break down these and other changes in greater detail.

So far, contributors have fixed 214 tickets in WordPress 5.8, including 87 new features and enhancements, and more bug fixes are on the way.

Do some testing!

Testing for bugs is a vital part of polishing the release during the beta stage and a great way to contribute. ✨

If you think you’ve found a bug, please post to the Alpha/Beta area in the support forums. We would love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac. That’s also where you can find a list of known bugs.

Props to @chanthaboune for revision, @webcommsat, @youknowriad, @jorbin, @felipeelia , and @jeffpaul for proofreading, and @cbringmann for final edits!

Install won’t you please
WordPress 5-8 Beta 2?
We need your help: test!

Dropping support for Internet Explorer 11

Jonathan Desrosiers

Internet Explorer 11 (IE11) was released over 7 years ago and is currently used by less than 1% of all users on the Internet with usage rapidly declining. A large majority of popular websites have already stopped supporting IE11 (including Microsoft Teams in 2020), and even the Microsoft 365 apps and services will be dropping support later this year.

When WordPress 5.8 is released in July of this year, Internet Explorer 11 will no longer be supported.

If you are currently using IE11, it is strongly recommended that you switch to a more modern browser, such as Google Chrome, Mozilla Firefox, Safari, or Microsoft Edge. IE11 users have been shown a warning that IE11 is considered outdated in the WordPress dashboard for the last 17+ months.

If you are already using one of the more modern browsers above, you will only be positively impacted by this change, as there are performance benefits to dropping IE11 support. However, if any other users of your site are still using IE11, it’s possible they will be affected.

What does “dropping support” mean?

When support for a browser is removed from WordPress, new features are no longer tested on those browsers and are not guaranteed to function optimally.

Automated tools that generate parts of the WordPress Core source code are also updated to exclude unsupported browsers. This means that any feature relying on these generated files will likely have bugs or stop working for users of those browsers.

The block editor will be the area of WordPress most heavily impacted by this change because almost all of the files related to the block editor are compiled using these automated tools. Other areas of the WordPress dashboard also use CSS built with these tools and their appearance will potentially be impacted when using IE11.

All other areas of the code base that are IE11 specific will need to be identified, evaluated, and removed on a case-by-case basis as the rest are manually maintained. This process will begin in the WordPress 5.9 release, and will likely happen gradually over several major releases. Additionally, any bugs which are reported for IE11 will not be fixed.

How will this affect themes?

No changes will be made to any of the default bundled themes as a result of this plan. No code related to IE11 support (or any other browser that may have been supported when each theme was released) will be removed from default themes. However, any new features added going forward will not be tested in IE11.

If you are not using a default theme, it’s still unlikely that your theme will be affected by this change. Themes typically have their own browser support policies, and changes in WordPress Core do not affect those. It’s possible that your theme author may have removed support for IE11 already.

If IE11 support is important to you and you are unsure whether your theme supports IE11, it is recommended that you reach out to your theme’s developer to confirm.

More information on this change can be found on the Making WordPress Core blog.

WordPress 5.3 RC3

Jonathan Desrosiers

The third release candidate for WordPress 5.3 is now available!

WordPress 5.3 is currently scheduled to be released on November 12 2019, but we need your help to get there—if you haven’t tried 5.3 yet, now is the time!

There are two ways to test the WordPress 5.3 release candidate:

For details about what to expect in WordPress 5.3, please see the first and second release candidate posts.

Release Candidate 3 contains improvements to the new About page, bug fixes for the new default theme, Twenty Twenty (see #48450), and 9 fixes for the following bugs and regressions:

  • Four bugs in the block editor have been fixed (see #48447).
  • Three Date/Time related bugs have been fixed (see #48384).
  • A regression in date_i18n() has been fixed (see #28636).
  • An accessibility color contrast regression for primary buttons when using alternate admin color schemes was fixed (see #48396).

Plugin and Theme Developers

Please test your plugins and themes against WordPress 5.3 and update the Tested up to version in the readme to 5.3. If you find compatibility problems, please be sure to post to the support forums so we can figure those out before the final release.

The WordPress 5.3 Field Guide has also been published, which details the major changes.

How to Help

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

WordPress 5.2.1 Maintenance Release

Jonathan Desrosiers

WordPress 5.2.1 is now available! This maintenance release fixes 33 bugs, including improvements to the block editor, accessibility, internationalization, and the Site Health feature introduced in 5.2.

You can browse the full list of changes on Trac.

WordPress 5.2.1 is a short-cycle maintenance release. Version 5.2.2 is expected to follow in approximately two weeks.

You can download WordPress 5.2.1 or visit Dashboard → Updates and click Update Now. Sites that support automatic background updates have already started to update automatically.

Jonathan Desrosiers and William Earnhardt co-led this release, with contributions from 52 other contributors. Thank you to everyone that made this release possible!

Alex Dimitrov, Alex Shiels, Andrea Fercia, Andrew Duthie, Andrew Ozz, Andrey “Rarst” Savchenko, Andy Fragen, anischarolia, Birgir Erlendsson (birgire), chesio, Chetan Prajapati, daxelrod, Debabrata Karfa, Dima, Dion Hulse, Dominik Schilling, Ella van Durpe, Emil Dotsev, ghoul, Grzegorz (Greg) Ziółkowski, gwwar, Hareesh, Ian Belanger, imath, Jb Audras, Jeremy Felt, Joen Asmussen, Jonathan Desrosiers, Jonny Harris, Josepha, jrf, kjellr, Marius L. J., MikeNGarrett, Milan Dinić, Mukesh Panchal, onlanka, paragoninitiativeenterprises, parkcityj, Peter Wilson, Presskopp, Riad Benguella, Sergey Biryukov, Stephen Edgar, Sébastien SERRE, Thorsten Frommen, Tim Hengeveld, Timothy Jacobs, timph, TobiasBg, tonybogdanov, Tor-Bjorn Fjellner, William Earnhardt, and Yui.

WordPress 5.2 Beta 3

Jonathan Desrosiers

WordPress 5.2 Beta 3 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site to play with the new version.

There are two ways to test the latest WordPress 5.2 beta: try the WordPress Beta Tester plugin (you’ll want to select the “bleeding edge nightlies” option), or you can download the beta here (zip).

WordPress 5.2 is slated for release on April 30, and we need your help to get there! Thanks to the testing and feedback from everyone who tried beta 2, nearly 40 tickets have been closed since then. Here are the major changes and bug fixes:

  • The new Site Health feature has continued to be refined.
  • Plugins no longer update if a site is running an unsupported version of PHP (see #46613).
  • It’s now more apparent when a site is running in Recovery Mode (see #46608).
  • The distraction free button no longer breaks keyboard navigation in the Classic Editor (see #46640).
  • Assistive technologies do a better job of announcing admin bar sub menus (see #37513).
  • Subject lines in WordPress emails are now more consistent (see #37940).
  • Personal data exports now only show as completed when a user downloads their data (see #44644).
  • Plus more improvements to accessibility (see #35497 and #42853).

Minimum PHP Version Update

Important reminder: as of WordPress 5.2 beta 2, the minimum PHP version that WordPress will require is 5.6.20. If you’re running an older version of PHP, we highly recommend updating it now, before WordPress 5.2 is officially released.

Minimum PHP Version update

Developer Notes

WordPress 5.2 has lots of refinements to polish the developer experience. To keep up, subscribe to the Make WordPress Core blog and pay special attention to the developers notes for updates on those and other changes that could affect your products.

How to Help

Do you speak a language other than English? Help us translate WordPress into more than 100 languages! The beta 3 release also marks the soft string freeze point of the 5.2 release schedule.

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

Would you look at that
each day brings release closer
test to be ready.

WordPress 5.0.3 Maintenance Release

Jonathan Desrosiers

WordPress 5.0.3 is now available!

5.0.3 is a maintenance release that includes 37 bug fixes and 7 performance updates. The focus of this release was fine-tuning the new block editor, and fixing any major bugs or regressions.

Here are a few of the highlights:

For a full list of changes, please consult the list of tickets on Trac, changelog, or read a more technical summary on the Make WordPress Core blog.

You can download WordPress 5.0.3 or visit Dashboard → Updates on your site and click Update Now. Sites that support automatic background updates have already started to update automatically.

Thank you to everyone who contributed to WordPress 5.0.3:

Aaron Jorbin, Alex Shiels, allancole, Andrea Fercia, Andrew Nevins, Andrew Ozz, Birgir Erlendsson (birgire), bobbingwide, Csaba (LittleBigThings), David Binovec, David Herrera, Dominik Schilling (ocean90), Felix Arntz, Gary Pendergast, Gerhard Potgieter, Grzegorz (Greg) Ziółkowski, Jb Audras, Job, Joe McGill, Joen Asmussen, John Blackbourn, Jonathan Desrosiers, kjellr, laurelfulford, Marcus Kazmierczak, Milan Dinić, Muntasir Mahmud, Nick Halsey, panchen, Pascal Birchler, Ramanan, Riad Benguella, Ricky Lee Whittemore, Sergey Biryukov, Weston Ruter, and William Earnhardt.