WordPress 5.2.4 Security Release

WordPress 5.2.4 is a short-cycle security release that has been released from wordpress.org this morning.

This WordPress security update fixes 6 security issues.

According to the update article on wordpress.org WordPress versions 5.2.3 and earlier are affected by these bugs, which are fixed in version 5.2.4.

Updated versions of WordPress 5.1 and earlier are also available for any users who have not yet updated to 5.2.

Fixes to the following security issues are available in the new version 5.2.4 release:

  • Issue where stored XSS (cross-site scripting) could be added via the Customizer.
  • A method of viewing unauthenticated posts.
  • A method to create a stored XSS to inject Javascript into style tags.
  • A method to poison the cache of JSON GET requests via the Vary: Origin header.
  • A server-side request forgery in the way that URLs are validated.
  • Issues related to referrer validation in the admin.

For more information, you can browse the full list of changes on Trac or check out the Version 5.2.4 documentation page.

WordPress 5.2.3

WordPress 5.2.3 security and maintenance release is now available from wordpress.org

Version 5.2.3 is a security and maintenance release that features 29 fixes and enhancements.

These bugs affect WordPress versions 5.2.2 and earlier.

This security and maintenance release fixes them, so there is every good reason to upgrade.

If you haven’t yet updated to 5.2, there are also updated versions of 5.0 and earlier that fix the bugs for you.

WordPress 5.2.3 Security Updates

It also adds a number of security fixes—see the list below.

  • Props to Simon Scannell of RIPS Technologies for finding and disclosing two issues. The first, a cross-site scripting (XSS) vulnerability found in post previews by contributors. The second was a cross-site scripting vulnerability in stored comments. 
  • Props to Tim Coen for disclosing an issue where validation and sanitization of a URL could lead to an open redirect. 
  • Props to Anshul Jain for disclosing reflected cross-site scripting during media uploads.
  • Props to Zhouyuan Yang of Fortinet’s FortiGuard Labs who disclosed a vulnerability for cross-site scripting (XSS) in shortcode previews.
  • Props to Ian Dunn of the Core Security Team for finding and disclosing a case where reflected cross-site scripting could be found in the dashboard.
  • Props to Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting (XSS) attacks.
  • In addition to the above changes, we are also updating jQuery on older versions of WordPress. This change was added in 5.2.1 and is now being brought to older versions. 

You can browse the full list of changes on Trac.

More info

For more info, browse the full list of changes on Trac or check out the Version 5.2.3 documentation page.

Version 5.2.3 is a short-cycle maintenance release.

The next major release will be version 5.3.

WordPress 5.2 Jaco

Today wordpress.org is releasing the new WordPress 5.2 Jaco.

This release is named ‘Jaco’ after renowned and revolutionary jazz bassist Jaco Pastorius.

Under the headline ‘keeping sites safer‘ and a blog post illustration of a woman doing car maintenance, WordPress 5.2 Jaco focuses on site safety and site health.

The new features in this version make it easy to fix a WordPress website if something goes wrong.

There are some robust tools for identifying and fixing configuration issues and fatal errors.

Whether you are a developer helping clients or you manage a WordPress website, these tools can help get you the right information when you need it.


WordPress 5.2 Jaco - site health checker - a-support.dk
Ill.: wordpress.org

Site Health Check

Building on the Site Health features introduced in 5.1, this release adds two new pages to help debug common configuration issues.

It also adds space where developers can include debugging information for site maintainers.

WordPress 5.2 Jaco - PHP error protection - a-support.dk
Ill.: wordpress.org

PHP Error Protection

This administrator-focused update lets site managers safely fix or manage fatal errors without requiring developer time.

It features better handling of the so-called “white screen of death,” and a way to enter recovery mode, which pauses error-causing plugins or themes.

 

Improvements in WordPress 5.2

Accessibility Updates

A number of changes work together to improve contextual awareness and keyboard navigation flow for those using screen readers and other assistive technologies.

New Dashboard Icons

Thirteen new icons is added to WordPress.

They include Instagram, a suite of icons for BuddyPress, and rotating Earth icons for global inclusion.

Plugin Compatibility Checker

WordPress will now automatically determine if your site’s version of PHP is compatible with installed plugins.

If a plugin requires a higher version of PHP than your site currently uses, WordPress will not allow you to activate it

This helps preventing potential compatibility errors.


WordPress powers one-third of the web

WordPress reached a significant milestone this month

By beginning of April 2019, WordPress now powers more than one-third of the top 10 million sites on the web.

Source: W3Tech which tracks usage statistics for all major web platforms.

WordPress 5.2 is coming!

WordPress 5.1.1 was released in March 2019.

It has 14 fixes and enhancements, and the Core team is now focusing on the next major release, version 5.2.

This release will include some great new features, along with the latest updates to the block editor.

One of the most anticipated new features is the improved fatal error detection.

This was removed from version 5.1 shortly before release so that it could be improved and made more secure for this release.

PHP 5.6 will be the minimum required PHP version for WordPress.

It’s a significant step towards a more modern web and updated coding standards.

WordPress 5.2 is now in beta and you can test it by installing the Beta Tester plugin on any WordPress site.

Proposal for a Central Block Directory

Blocks is becoming the new way to manage content in WordPress.

More and more types of blocks are being developed for different use cases and content types.

In an effort to make it easier for content creators to find these block types, there is a proposal for a new type of plugin and a directory to handle it.

The proposal outlines a new type of WordPress plugin that provides blocks, named Single Block Plugins.

The benefit is to provide content creators with individual pieces of functionality and new types of blocks without the need to search for and install new plugins.

The Single Block Plugins would be hosted in a separate Block Directory section of the Plugin Directory.

Each plugin will register a single block, and they will be searchable and installable from within the editor itself.

This puts blocks at the publishers’ fingertips — you no longer have to leave the editor to find them.

Global WordPress Translation Day is Back

On 11 May 2019, the fourth Global WordPress Translation Day will take place.

This is a 24-hour global event dedicated to the translation of all things WordPress, from core to themes, plugins to marketing.

In 24 hours, WordPress communities will translate WordPress into their local languages and watch talks and sessions broadcast on wptranslationday.org.

During the last Global WordPress Translation Day, 71 local events took place in 29 countries.

Gutenberg Development Continues

Version 5.3 of Gutenberg, released this month, includes a new block manager modal, the ability to nest different elements in the cover block, and some UI tweaks to improve the hover state of blocks.

WordPress 5.2 is coming!

In a short while we will see WordPress 5.2 being released – maybe as early as April 2019.

In his article on make.wordpress.org Gary Pendergast describes and proposes a elease schedule for the Beta, the RC and the final release of WordPress 5.2.

Proposed WordPress 5.2 Schedule according to Gary Pendergast

To give something a little more specific than “late April”, I’d like to propose the following key dates for WordPress 5.2.

– Beta 1: March 14, 2019.
– Release Candidate 1: April 10, 2019.
– General Release: April 23, 2019.

The end of April does have quite a few observed holidays to account for. The weekend of April 20/21 is Easter, the week of April 20-27 is Passover, and the weekend of April 27-28 is Orthodox Easter. The following week includes May Day, and is the week before the start of Ramadan.

I would like to propose April 23 as a reasonable compromise that isn’t an observed holiday for most people, and allows several days after the release for sites to test and upgrade.

Proposed WordPress 5.2 Scope

Given the timeframe, there are several projects in progress that would fit nicely.

Gutenberg
With the widgets to blocks being complete for Gutenberg 5.1, the Gutenberg work is ready to move into the next item on the 9 projects for 2019 list: the block directory.

The way authors discover and use new blocks is shaping up to be an important part of the block editor experience, so join in the #meta and #core-editor channels to discuss this important part of our future infrastructure.

With the explosion of new blocks comes the need to manage them. There are a lot of plugins which add dozens of blocks, but authors may only need one or two of them. Being able to hide the ones they don’t use can only make the editing experience easier. The CoBlocks plugin recent introduced a Block Manager feature along these lines.

Additionally, the Gutenberg team have made more UX and performance improvements, which you can see in recent Gutenberg plugin releases.

Site Health Check
The Health Check plugin has been coming along nicely, and is looking like it will be ready to merge before beta 1. This is another of the 9 projects for 2019.

PHP Error Protection
While it missed WordPress 5.1, the core PHP team have been reworking the PHP Error Protection feature, and are on target for releasing it in WordPress 5.2.

Update Package Signing
Auto-updates are featured as two of the 9 projects for 2019, but to ensure these are completed in a safe and reliable fashion, there are a few steps to take beforehand.

The first step involves implementing update package signing, which ensures sites have downloaded a valid update package.

Once package signing has proven itself when running against WordPress 5.2.x releases, the next steps include improving the error detection and fallback mechanisms for the plugin and theme updaters, as well as making UI options available for enabling auto-updates.

Pending WordPress.org work and Systems approval, package signing could reasonably be ready for WordPress 5.2.

WordPress 5.1 Beta 1

WordPress 5.1 Beta 1 is now available from wordpress.org.

WordPress 5.1 is scheduled for release in late February 2019 – the 19th according to wordpress.org.

Site Health Checker

The new Site Health Check is a project within wordpress aimed at improving the stability and performance of the entire WordPress ecosystem.

The first phase of this project will be included in WordPress 5.1.

For the first time, WordPress will catch and pause the problem code, so you can log in to your Dashboard and see what the problem is.

Earlier you would need FTP to diagnose and solve the problems in your files or get in touch with your host.

Additionally, in April 2019, WordPress’ will increase its minimum supported PHP version to 5.6. To help you check if you’re prepared for this change, WordPress 5.1 will show you a warning and help you upgrade your version of PHP, if necessary.

The end of an era – and the beginning of a new…

Beginning with the WordPress 5.1 version the phrase “Happy blogging” will be changed to “Happy Publishing” in the file-system og WordPress

This marks the end of the days when WordPress was perceived as (merely) a blogging tool.

In Changeset 44455 it’s stated that:

As of this commit, WordPress is no longer a simple blogging platform. It’s now a comprehensive publishing solution.

This also replaces a couple of other “blog” references that were missed previously.

This signifies the end of an era, which actually ended a long time ago when WordPress developed into a proper CMS system.

Now it’s formally recognized in the software and by wordpress.org.

WordPress is so much more dynamic than what a blogging tool rerquires it to be.

Nowadays, WordPressis a true publishing solution that can easily transition into e-commerce stores or online magazines without having to migrate to a new platform.

Gutenberg is now in the hands of thousands, if not millions of users.

With Gutenberg publishing different types of content is becoming more accessible for coders and non-coders alike.

The new era of “Happy Publishing” in 2019 will bring even more progress to WordPress!