WordPress.org

WordPress 4.8.3 Security Release

Posted October 31, 2017 by Gary Pendergast. Filed under Releases, Security.

WordPress 4.8.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Anthony Ferrara.

This release includes a change in behaviour for the esc_sql() function. Most developers will not be affected by this change, you can read more details in the developer note.

Thank you to the reporter of this issue for practicing responsible disclosure.

Download WordPress 4.8.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.8.3.

WordPress 4.9 Release Candidate

Posted by Mel Choyce. Filed under Development, Releases.

The release candidate for WordPress 4.9 is now available.

RC means we think we’re done, but with millions of users and thousands of plugins and themes, it’s possible we’ve missed something. We hope to ship WordPress 4.9 on Tuesday, November 14, but we need your help to get there. If you haven’t tested 4.9 yet, now is the time!

To test WordPress 4.9, you can use the WordPress Beta Tester plugin or you can download the release candidate here (zip).

We’ve made almost 30 changes since releasing Beta 4 last week. For more details about what’s new in version 4.9, check out the Beta 1, Beta 2, Beta 3, and Beta 4 blog posts.

Developers, please test your plugins and themes against WordPress 4.9 and update your plugin’s Tested up to version in the readme to 4.9. If you find compatibility problems please be sure to post to the support forums so we can figure those out before the final release — we work hard to avoid breaking things. An in-depth field guide to developer-focused changes is coming soon on the core development blog. In the meantime, you can review the developer notes for 4.9.

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

This week’s haiku is courtesy of @pento:

this is halloween 🎃
scary, spooky, candy day 👻
rc1 is sweet 🍬

Thanks for your continued help testing out the latest versions of WordPress.

2017 WordPress Survey and WordCamp US

Posted October 26, 2017 by Josepha. Filed under Community, Events.

It’s time for the annual WordPress user and developer survey! If you’re a WordPress user, developer, or business owner, then we want your feedback. Just like previous years, we’ll share the data at the upcoming WordCamp US (WCUS).

It only takes a few minutes to fill out the survey, which will provide an overview of how people use WordPress.

WordCamp US in Nashville

The State of the Word includes stats and an overview of what's new in WordPress and is given every year at WCUS. Don't forget that tickets are available now so you can join the excitement in Nashville this year!

WordPress 4.9 Beta 4

Posted October 25, 2017 by Mel Choyce. Filed under Development, Releases.

WordPress 4.9 Beta 4 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.9, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

For more information on what’s new in 4.9, check out the Beta 1 blog post. Since the Beta 1 release, we’ve made 70 changes in Beta 2, and 92 changes in Beta 3. In Beta 4, we’ve made 80 changes, focusing on bug fixes and finalizing new features.

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

Beta 4 at last,
RC 1 draws ever near.
Let’s make it bug-free. 🐛🚫

WordPress 4.9 Beta 3

Posted October 19, 2017 by Weston Ruter. Filed under Documentation, Releases.

WordPress 4.9 Beta 3 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.9, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

For more information on what’s new in 4.9, check out the Beta 1 blog post. Since the Beta 1 release, we’ve made 70 changes in Beta 2 and 92 changes in Beta 3. A few of these newest changes to take note of in particular:

  • The plugin/theme editors now show files in a scrollable expandable tree list. See #24048.
  • Backwards compatibility has been improved for MediaElement.js, which is upgraded from 2.2 to 4.2. See #42189.
  • When you create post stubs in the Customizer (such as for nav menu items, for the homepage or the posts page), if you then schedule your customized changes or save them as a draft, then these Customizer-created posts will appear in the admin as “Customization Drafts”; these drafts can be edited before your customized changes are published, at which time these posts (or pages) will also be automatically published. See #42220.
  • Theme browsing and installation experience in the Customizer has seen some bugfixes (e.g. #42215 and #42212), with some known remaining issues outstanding in Safari.
  • There is now a callout on the dashboard to install and activate Gutenberg. See #41316.
  • Menus in the Customizer have seen additional usability improvements. See #36279 and #42114.

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

Many refinements
Exist within this release;
Can you find them all?

WordPress 4.9 Beta 2

Posted October 12, 2017 by Mel Choyce. Filed under Development, Releases.

WordPress 4.9 Beta 2 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.9, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

For more information on what’s new in 4.9, check out the Beta 1 blog post. Since then, we’ve made 70 changes in Beta 2.

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

Let’s test all of these:
code editing, theme switches,
widgets, scheduling.

WordPress 4.9 Beta 1

Posted October 5, 2017 by Jeffrey Paul. Filed under Development, Releases.

WordPress 4.9 Beta 1 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.9, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

WordPress 4.9 is slated for release on November 14, but we need your help to get there. We’ve been working on making it even easier to customize your site. Here are some of the bigger items to test and help us find as many bugs as possible in the coming weeks:

  • Drafting (#39896) and scheduling (#28721) of changes in the Customizer. Once you save or schedule a changeset, when any user comes into the Customizer the pending changes will be autoloaded. A button is provided to discard changes to restore the Customizer to the last published state. (This is a new “linear” mode for changesets, as opposed to “branching” mode which can be enabled by filter so that every time  user opens the Customizer a new blank changeset will be started.)
  • Addition of a frontend preview link to the Customizer to allow changes to be browsed on the frontend, even without a user being logged in (#39896).
  • Addition of autosave revisions in the Customizer (#39275).
  • A brand new theme browsing experience in the Customizer (#37661).
  • Gallery widget (#41914), following the media and image widgets introduced in 4.8.
  • Support for shortcodes in Text widgets (#10457).
  • Support for adding media to Text widgets (#40854).
  • Support for adding oEmbeds outside post content, including Text widgets (#34115).
  • Support for videos from providers other than YouTube and Vimeo in the Video widget (#42039)
  • Improve the flow for creating new menus in the Customizer (#40104).
  • Educated guess mapping of nav menus and widgets when switching themes (#39692).
  • Plugins: Introduce singular capabilities for activating and deactivating individual plugins (#38652).
  • Sandbox PHP file edits in both plugins and themes, without auto-deactivation when an error occurs; a PHP edit that introduces a fatal error is rolled back with an opportunity then for the user to fix the error and attempt to re-save. (#21622).
  • Addition of dirty state for widgets on the admin screen, indicating when a widget has been successfully saved and showing an “Are you sure?” dialog when attempting to leave without saving changes. (#23120, #41610)

As always, there have been exciting changes for developers to explore as well, such as:

  • CodeMirror editor added to theme/plugin editor, Custom CSS in Customizer, and Custom HTML widgets. Integration includes support for linters to catch errors before you attempt to save. Includes new APIs for plugins to instantiate editors. (#12423)
  • Introduction of an extensible code editor control for adding instances of CodeMirror to the Customizer. (#41897)
  • Addition of global notifications area (#35210), panel and section notifications (#38794), and a notification overlay that takes over the entire screen in the Customizer (#37727).
  • A date/time control in the Customizer (#42022).
  • Improve usability of Customize JS API (#42083, #37964, #36167).
  • Introduction of control templates for base controls (#30738).
  • Use WP_Term_Query when transforming tax queries (#37038).
  • Database: Add support for MySQL servers connecting to IPv6 hosts (#41722).
  • Emoji: Bring Twemoji compatibility to PHP (#35293). Test for any weirdness with emoji in RSS feeds or emails.
  • I18N: Introduce the Plural_Forms class (#41562).
  • Media: Upgrade MediaElement.js to 4.2.5-74e01a40 (#39686).
  • Media: Use max-width for default captions (#33981). We will want to make sure this doesn’t cause unexpected visual regressions in existing themes, default themes were all fine in testing.
  • Media: Reduce duplicated custom header crops in the Customizer (#21819).
  • Media: Store video creation date in meta (#35218). Please help test different kinds of videos.
  • Multisite: Introduce get_site_by() (#40180).
  • Multisite: Improve get_blog_details() by using get_site_by() (#40228).
  • Multisite: Improve initializing available roles when switch sites (#38645).
  • Multisite: Initialize a user’s roles correctly when setting them up for a different site (#36961).
  • REST API: Support registering complex data structures for settings and meta
  • REST API: Support for objects in schema validation and sanitization (#38583)
  • Role/Capability: Introduce capabilities dedicated to installing and updating language files (#39677).
  • Remove SWFUpload (#41752).
  • Users: Require a confirmation link in an email to be clicked when a user attempts to change their email address (#16470).
  • Core and the unit test suite is fully compatible with the upcoming release of PHP 7.2

If you want a more in-depth view of what major changes have made it into 4.9, check out posts tagged with 4.9 on the main development blog, or look at a list of everything that’s changed. There will be more developer notes to come, so keep an eye out for those as well.

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

Happy testing!

Without your testing,
we might hurt the internet.
Please help us find bugs.🐛

The Month in WordPress: September 2017

Posted October 2, 2017 by Hugh Lashbrooke. Filed under Month in WordPress.

This has been an interesting month for WordPress, as a bold move on the JavaScript front brought the WordPress project to the forefront of many discussions across the development world. There have also been some intriguing changes in the WordCamp program, so read on to learn more about the WordPress community during the month of September.


JavaScript Frameworks in WordPress

Early in the month, Matt Mullenweg announced that WordPress will be switching away from React as the JavaScript library WordPress Core might use — this was in response to Facebook’s decision to keep a controversial patent clause in the library’s license, making many WordPress users uncomfortable.

A few days later, Facebook reverted the decision, making React a viable option for WordPress once more. Still, the WordPress Core team is exploring a move to make WordPress framework-agnostic, so that the framework being used could be replaced by any other framework without affecting the rest of the project.

This is a bold move that will ultimately make WordPress core a lot more flexible, and will also protect it from potential license changes in the future.

You can get involved in the JavaScript discussion by joining the #core-js channel in the Making WordPress Slack group and following the WordPress Core development blog.

Community Initiative to Make WordCamps More Accessible

A WordPress community member, Ines van Essen, started a new nonprofit initiative to offer financial assistance to community members to attend WordCamps. DonateWC launched with a crowdsourced funding campaign to cover the costs of getting things up and running.

Now that she’s raised the initial funds, Ines plans to set up a nonprofit organization and use donations from sponsors to help people all over the world attend and speak at WordCamps.

If you would like to support the initiative, you can do so by donating through their website.

The WordCamp Incubator Program Returns

Following the success of the first WordCamp Incubator Program, the Community Team is bringing the program back to assist more underserved cities in kick-starting their WordPress communities.

The program’s first phase aims to find community members who will volunteer to mentor, assist, and work alongside local leaders in the incubator communities — this is a time-intensive volunteer role that would need to be filled by experienced WordCamp organizers.

If you would like to be a part of this valuable initiative, join the #community-team channel in the Making WordPress Slack group and follow the Community Team blog for updates.

WordPress 4.8.2 Security Release

On September 19, WordPress 4.8.2 was released to the world — this was a security release that fixed nine issues in WordPress Core, making the platform more stable and secure for everyone.

To get involved in building WordPress Core, jump into the #core channel in the Making WordPress Slack group, and follow the Core team blog.


Further Reading:

If you have a story we should consider including in the next “Month in WordPress” post, please submit it here.

Global WordPress Translation Day 3

Posted September 27, 2017 by Hugh Lashbrooke. Filed under Events.

On September 30 2017, the WordPress Polyglots Team – whose mission is to translate WordPress into as many languages as possible – will hold its third Global WordPress Translation Day, a 24-hour, round-the-clock, digital and physical global marathon dedicated to the localisation and internationalisation of the WordPress platform and ecosystem, a structure that powers, today, over 28% of all existing websites.

The localisation process allows for WordPress and for all WordPress-related products (themes and plugins) to be available in local languages, so to improve their accessibility and usage and to allow as many people as possible to take advantage of the free platform and services available.

In a (not completely) serendipitous coincidence, September 30 has also been declared by the United Nations “International Translation Day”, to pay homage to the great services of translators everywhere, one that allows communication and exchange.

The event will feature a series of multi-language live speeches (training sessions, tutorials, case histories, etc.) that will be screen-casted in streaming, starting from Australia and the Far East and ending in the Western parts of the United States.

In that same 24-hour time frame, Polyglots worldwide will gather physically in local events, for dedicated training and translations sprints (and for some fun and socializing as well), while those unable to physically join their teams will do so remotely.

A big, fun, useful and enlightening party and a lovely mix of growing, giving, learning and teaching, to empower, and cultivate, and shine.

Here are some stats about the first two events:

Global WordPress Translation Day 1

  •   448 translators worldwide
  •   50 local events worldwide
  •   54 locales involved
  •   40350 strings translated, in
  •   597 projects

Global WordPress Translation Day 2

  •   780 translators worldwide
  •   67 local events worldwide
  •   133 locales involved
  •   60426 strings translated, in
  •   590 projects

We would like your help in spreading this news and in reaching out to all four corners of the world to make the third #WPTranslationDay a truly amazing one and to help celebrate the unique and fundamental role that translators have in the Community but also in all aspects of life.

A full press release is available, along with more information and visual assets at wptranslationday.org/press.

For any additional information please don’t hesitate to contact the event team on press@wptranslationday.org.

WordPress 4.8.2 Security and Maintenance Release

Posted September 19, 2017 by Aaron D. Campbell. Filed under Releases, Security.

WordPress 4.8.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.8.1 and earlier are affected by these security issues:

  1. $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Slavco
  2. A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery. Reported by xknown of the WordPress Security Team.
  3. A cross-site scripting (XSS) vulnerability was discovered in the visual editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security.
  4. A path traversal vulnerability was discovered in the file unzipping code. Reported by Alex Chapman (noxrnet).
  5. A cross-site scripting (XSS) vulnerability was discovered in the plugin editor. Reported by 陈瑞琦 (Chen Ruiqi).
  6. An open redirect was discovered on the user and term edit screens. Reported by Yasin Soliman (ysx).
  7. A path traversal vulnerability was discovered in the customizer. Reported by Weston Ruter of the WordPress Security Team.
  8. A cross-site scripting (XSS) vulnerability was discovered in template names. Reported by Luka (sikic).
  9. A cross-site scripting (XSS) vulnerability was discovered in the link modal. Reported by Anas Roubi (qasuar).

Thank you to the reporters of these issues for practicing responsible disclosure.

In addition to the security issues above, WordPress 4.8.2 contains 6 maintenance fixes to the 4.8 release series. For more information, see the release notes or consult the list of changes.

Download WordPress 4.8.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.8.2.

Thanks to everyone who contributed to 4.8.2.

« Newer PostsOlder Posts »

See Also:

For more WordPress news, check out the WordPress Planet.
There’s also a development P2 blog.
To see how active the project is check out our Trac timeline, it often has 20–30 updates per day.

Categories

Subscribe to WordPress News

Join 1,797,302 other subscribers

%d bloggers like this: