WordPress.org

WordPress 4.7.5 Security and Maintenance Release

Posted May 16, 2017 by Pascal Birchler. Filed under Releases, Security.

WordPress 4.7.5 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.4 and earlier are affected by six security issues:

  1. Insufficient redirect validation in the HTTP class. Reported by Ronni Skansing.
  2. Improper handling of post meta data values in the XML-RPC API. Reported by Sam Thomas.
  3. Lack of capability checks for post meta data in the XML-RPC API. Reported by Ben Bidner of the WordPress Security Team.
  4. A Cross Site Request Forgery (CSRF)  vulnerability was discovered in the filesystem credentials dialog. Reported by Yorick Koster.
  5. A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Reported by Ronni Skansing.
  6. A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Reported by Weston Ruter of the WordPress Security Team.

Thank you to the reporters of these issues for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.7.5 contains 3 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.

Download WordPress 4.7.5 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.5.

Thanks to everyone who contributed to 4.7.5.

WordPress 4.8 Beta 1

Posted May 13, 2017 by Matt Mullenweg. Filed under Releases.

We’re planning a smaller WP release early next month, bringing in three major enhancements:

  • An improved visual editor experience, with a new TinyMCE that allows you to navigate more intuitively in and out of inline elements like links. (Try it out to see, it’s hard to describe.)
  • A revamp of the dashboard news widget to bring in nearby and upcoming events including meetups and WordCamps.
  • Several new media widgets covering images, audio, and video, and an enhancement to the text widget to support visual editing.

The first beta of 4.8 is now available for testing. You can use the beta tester plugin (or just run trunk) to try the latest and greatest, and each of these areas could use a ton of testing. Our goals are to make editing posts with links more intuitive, make widgets easier for new users and more convenient for existing ones, and get many more people aware of and attending our community events.

Four point eight is here
Small changes with a big punch
Big ones come later

WordPress 4.7.3 Security and Maintenance Release

Posted March 6, 2017 by James Nylen. Filed under Releases, Security.

WordPress 4.7.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.2 and earlier are affected by six security issues:

  1. Cross-site scripting (XSS) via media file metadata.  Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs.
  2. Control characters can trick redirect URL validation.  Reported by Daniel Chatfield.
  3. Unintended files can be deleted by administrators using the plugin deletion functionality.  Reported by TrigInc and xuliang.
  4. Cross-site scripting (XSS) via video URL in YouTube embeds.  Reported by Marc Montpas.
  5. Cross-site scripting (XSS) via taxonomy term names.  Reported by Delta.
  6. Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.  Reported by Sipke Mellema.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.7.3 contains 39 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.

Download WordPress 4.7.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.3.

Thanks to everyone who contributed to 4.7.3: Aaron D. Campbell, Adam Silverstein, Alex Concha, Andrea Fercia, Andrew Ozz, asalce, blobfolio, bonger, Boone Gorges, Boro Sitnikovski, Brady Vercher, Brandon Lavigne, Bunty, ccprog, chetansatasiya, David A. Kennedy, David Herrera, Dhanendran, Dion Hulse, Dominik Schilling (ocean90), Drivingralle, Ella Van Dorpe, Gary Pendergast, Ian Dunn, Ipstenu (Mika Epstein), James Nylen, jazbek, Jeremy Felt, Jeremy Pry, Joe Hoyle, Joe McGill, John Blackbourn, John James Jacoby, Jonathan Desrosiers, Kelly Dwan, Marko Heijnen, MatheusGimenez, Mike Nelson, Mike Schroder, Muhammet Arslan, Nick Halsey, Pascal Birchler, Paul Bearne, pavelevap, Peter Wilson, Rachel Baker, reldev, Robert O’Rourke, Ryan Welcher, Sanket Parmar, Sean Hayes, Sergey Biryukov, Stephen Edgar, triplejumper12, Weston Ruter, and wpfo.

WordPress 4.7.2 Security Release

Posted January 26, 2017 by Aaron D. Campbell. Filed under Releases, Security.

WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.1 and earlier are affected by three security issues:

  1. The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of Alley Interactive.
  2. WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Mo Jangda (batmoo).
  3. A cross-site scripting (XSS) vulnerability was discovered in the posts list table. Reported by Ian Dunn of the WordPress Security Team.
  4. An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint. Reported by Marc-Alexandre Montpas of Sucuri Security. *

Thank you to the reporters of these issues for practicing responsible disclosure.

Download WordPress 4.7.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.2.

Thanks to everyone who contributed to 4.7.2.

* Update: An additional serious vulnerability was fixed in this release and public disclosure was delayed. For more information on this vulnerability, additional mitigation steps taken, and an explanation for why disclosure was delayed, please read Disclosure of Additional Security Fix in WordPress 4.7.2.

WordPress 4.7.1 Security and Maintenance Release

Posted January 11, 2017 by Aaron D. Campbell. Filed under Releases, Security.

WordPress 4.7 has been downloaded over 10 million times since its release on December 6, 2016 and we are pleased to announce the immediate availability of WordPress 4.7.1. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7 and earlier are affected by eight security issues:

  1. Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release. This issue was fixed in PHPMailer thanks to Dawid Golunski and Paul Buonopane.
  2. The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API. Reported by Krogsgard and Chris Jean.
  3. Cross-site scripting (XSS) via the plugin name or version header on update-core.php. Reported by Dominik Schilling of the WordPress Security Team.
  4. Cross-site request forgery (CSRF) bypass via uploading a Flash file. Reported by Abdullah Hussam.
  5. Cross-site scripting (XSS) via theme name fallback. Reported by Mehmet Ince.
  6. Post via email checks mail.example.com if default settings aren’t changed. Reported by John Blackbourn of the WordPress Security Team.
  7. A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing. Reported by Ronnie Skansing.
  8. Weak cryptographic security for multisite activation key. Reported by Jack.

Thank you to the reporters for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.7.1 fixes 62 bugs from 4.7. For more information, see the release notes or consult the list of changes.

Download WordPress 4.7.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.1.

Thanks to everyone who contributed to 4.7.1: Aaron D. Campbell, Aaron Jorbin, Adam Silverstein, Andrea Fercia, Andrew Ozz, bonger, Boone Gorges, Chandra Patel, Christian Chung, David Herrera, David Shanske, Dion Hulse, Dominik Schilling (ocean90), DreamOn11, Edwin Cromley, Ella van Dorpe, Gary Pendergast, Hristo Pandjarov, James Nylen, Jeff Bowen, Jeremy Felt, Jeremy Pry, Joe Hoyle, Joe McGill, John Blackbourn, Keanan Koppenhaver, Konstantin Obenland, laurelfulford, Marin Atanasov, mattyrob, monikarao, Nate Reist, Nick Halsey, Nikhil Chavan, nullvariable, Payton Swick, Peter Wilson, Presskopp, Rachel Baker, Ryan McCue, Sanket Parmar, Sebastian Pisula, sfpt, shazahm1, Stanimir Stoyanov, Steven Word, szaqal21, timph, voldemortensen, vortfu, and Weston Ruter.

WordPress 4.7 Release Candidate

Posted November 24, 2016 by Helen Hou-Sandi. Filed under Releases.

The release candidate for WordPress 4.7 is now available.

RC means we think we’re done, but with millions of users and thousands of plugins and themes, it’s possible we’ve missed something. We hope to ship WordPress 4.7 on Tuesday, December 6, but we need your help to get there. If you haven’t tested 4.7 yet, now is the time! To test WordPress 4.7, you can use the WordPress Beta Tester plugin or you can download the release candidate here (zip).

WordPress 4.7 is a jam-packed release, with a number of features focused on getting a theme set up for the first time. Highlights include a new default theme, video headers, custom CSS, customizer edit shortcuts, PDF thumbnail previews, user admin languages, REST API content endpoints, post type templates, and more.

We’ve made quite a few refinements since releasing Beta 4 a week ago, including usability and accessibility enhancements for video headers, media and page template support in starter content, and polishing of how custom CSS can be migrated to and extended by plugins and themes. The REST API endpoints saw a number of bugfixes and notably now have anonymous comment off by default.

Not sure where to start with testing? Try setting up a fresh site on a new installation with Twenty Seventeen (hint: head into customizing your site before touching any pages or widgets) and taking notes on what you enjoyed and what got you stuck. For more details about what’s new in version 4.7, check out the Beta 1Beta 2, Beta 3, and Beta 4 blog posts.

Think you’ve found a bug? Please post to the Alpha/Beta support forum. If any known issues come up, you’ll be able to find them here.

Developers, please test your plugins and themes against WordPress 4.7 and update your plugin’s Tested up to version in the readme to 4.7. If you find compatibility problems please be sure to post to the support forums so we can figure those out before the final release – we work hard to avoid breaking things. An in-depth field guide to developer-focused changes is coming soon on the core development blog.

Do you speak a language other than English? Help us translate WordPress into more than 100 languages! And if you haven’t yet done so, now is a great time to take the Annual WordPress Survey and send it on to your friends.

Happy testing! And now for another Rami Abraham haiku break.

Select your language
Then let your users choose theirs
get_user_locale()

Theme authors rejoice
Any option may employ
Selective refresh

Custom header video
Make sure to add_theme_support
Bling above the fold

A new template dawns
A hierarchy member
Post-type templates live

PDF updates
Pack a parade of polish
Prettier previews

Template Post Type: New
Template Post Type: And Useful
Template Post Type: Thing

Let lists live lively
Laud wp_list_sort()
Less laconic lists

WordPress 4.7 Beta 4

Posted November 16, 2016 by Helen Hou-Sandi. Filed under Releases.

WordPress 4.7 Beta 4 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.7, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

For more information on what’s new in 4.7, check out the Beta 1, Beta 2, and Beta 3 blog posts, along with in-depth developer guides on make/core. We’ve made about 60 changes in the last few days for beta 4, including tweaks to Twenty Seventeen, custom CSS, and the REST API content endpoints.

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

We are almost there
Please test your plugins and themes
RC coming soon

WordPress 4.7 Beta 3

Posted November 11, 2016 by Helen Hou-Sandi. Filed under Development, Releases.

WordPress 4.7 Beta 3 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.7, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

For more information on what’s new in 4.7, check out the Beta 1 and Beta 2 blog posts, along with in-depth field guides on make/core. Some of the changes in Beta 3 include:

  • REST API: The unfiltered_html capability is now respected and rest_base has been added to response objects of wp/v2/taxonomies and wp/v2/types, while get_allowed_query_vars() and the rest_get_post filter have been removed.
  • Roles/Capabilities: Added meta-caps for comment, term, and user meta, which are currently only used in the REST API.
  • I18N: Added the ability to change user’s locale back to site’s locale. (#38632)
  • Custom CSS: Renamed the unfiltered_css meta capability to edit_css and added revisions support to the custom_css post type.
  • Edit shortcuts: Theme authors should take a look at the developer guide to the customizer preview’s visible edit shortcuts and update their themes to take advantage of them if not already implementing selective refresh.
  • Various bug fixes: We’ve made over 50 changes in the last week.

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

Building the future
A global community
Stronger together

WordPress 4.7 Beta 2

Posted November 4, 2016 by Helen Hou-Sandi. Filed under Development, Releases.

WordPress 4.7 Beta 2 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.7, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

Notable changes since WordPress 4.7 Beta 1:

For more of what’s new in version 4.7, check out the Beta 1 blog post.

If you want a more in-depth view of what major changes have made it into 4.7, check out posts tagged with 4.7 on the main development blog, or look at a list of everything that’s changed. There will be more developer notes to come, so keep an eye out for those as well.

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

Happy testing!

Ya es la hora
Time for another beta
请您帮下忙!

WordPress 4.7 Beta 1

Posted October 28, 2016 by Helen Hou-Sandi. Filed under Development, Releases.

WordPress 4.7 Beta 1 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.7, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

WordPress 4.7 is slated for release on December 6, but we need your help to get there. We’ve been working on a lot of things, many of them to make getting your site set up the way you want it much easier. Here are some of the bigger items to test and help us find as many bugs as possible in the coming weeks:

  • Twenty Seventeen – A brand new default theme brings your site to life with immersive featured images, video headers, and subtle animations. With a focus on business sites, it features multiple sections on the front page as well as widgets, navigation and social menus, a logo, and more. Personalize its asymmetrical grid with a custom color scheme and showcase your multimedia content with post formats. Our default theme for 2017 works great in many languages, for any abilities, and on any device.
  • Video Headers – Sometimes a big atmospheric video as a moving header image is just what you need to showcase your wares; go ahead and try it out with Twenty Seventeen. Need some video inspiration? Try searching for sites with video headers available for download and use.
  • Set up your site in one flow – From finding and installing themes right inside the customizer, to automatically staged theme-specific starter content, to clickable shortcuts that jump directly to editing an item from the preview pane, to adding pages while you’re building a nav menu or setting a static front page: getting a new site spun up and ready to share with a friend or a coworker is faster and easier than it’s ever been. Note: starter content appears when live previewing brand new sites and is currently only available in Twenty Seventeen. We’ll be expanding this to other bundled themes very soon, and perhaps to sites with existing content in future releases of WordPress.
  • Custom CSS with live previews – Ever needed to hide or tweak the look of something in your theme or from a plugin? Now you can do it with CSS and live preview the results while customizing your site. CSS can be a powerful tool; you may find that you won’t need the theme editor or child themes anymore.
  • User admin languages – Just because your site is in one language doesn’t mean that everybody helping manage it prefers that language for their admin. To try this out, you’ll need to have more than one language installed, which will make a user language option available in your profile.
  • PDF thumbnail previews – Uploading PDFs will now generate thumbnail images so you can more easily distinguish between all your documents.

As always, there have been exciting changes for developers to explore as well, such as:

  • REST API content endpoints – If you only test one thing as a developer, please test these. This phase is particularly helpful for people building plugins, themes, and in-admin interfaces. Can you build the things you need? Are these ready for release, and is the world ready for them? (#38373)
  • WP_Hook – The code that lies beneath actions and filters has been overhauled. You likely aren’t affected, but if you’ve done things to the $wp_filter global or experienced funky recursion bugs in the past, please take a moment to read the dev note and test your code.
  • Custom bulk actions – List tables, now with more than bulk edit and delete.
  • Expanded Settings Registration API via register_setting().
  • For theme developers: Post type templates (#18375)
  • More goodies for theme developers!
  • Locale switching (#26511)
  • Comment allowed checks have the potential for a back-compat break.

If you want a more in-depth view of what major changes have made it into 4.7, check out posts tagged with 4.7 on the main development blog, or look at a list of everything that’s changed. There will be more developer notes to come, so keep an eye out for those as well.

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

Happy testing, and please enjoy this extended haiku break, courtesy of Rami Abraham.

Exquisite endpoints
Extol epic exabytes
Enabling earthlings

Careful interfaces
Considerately conjured
Customizer chic

Ring in the new year
With elegance and balance
Twenty Seventeen

Hooks hook healthily
17817
Sane iterations

Admin in your tongue
One site, many languages
We all speak WordPress

« Newer PostsOlder Posts »

See Also:

For more WordPress news, check out the WordPress Planet.

There’s also a development P2 blog.

To see how active the project is check out our Trac timeline, it often has 20–30 updates per day.

Categories

%d bloggers like this: