2021-07-17 17:51:33 by Daniel Horecki | Files touched by this commit (2) | |
Log message:
Security update to 5.7.2.
Security issue fixed:
- Object injection in PHPMailer, CVE-2020-36326 and CVE-2018-19296.
|
2021-04-23 08:05:55 by Daniel Horecki | Files touched by this commit (2) | |
Log message:
Security update to 5.7.1.
Two security issues affect WordPress versions between 4.7 and 5.7.
- thank you SonarSource for reporting an XXE vulnerability within the media \
library affecting PHP 8
- thanks Mikael Korpela for reporting a data exposure vulnerability within the \
latest posts block and REST API
|
2021-03-14 18:01:34 by Daniel Horecki | Files touched by this commit (3) | |
Log message:
Update to version 5.7
Highlights of this release:
- block editor changes
- WP Admin: a new color palette
- from HTTP to HTTPS in a single click
- new robots API
- ongoing cleanup after update to jQuery 3.5.1
- lazy-load your iframes # Lazy-load your iframes
More details here: https://wordpress.org/support/wordpress-version/version-5.7/
|
2021-02-28 01:04:11 by Daniel Horecki | Files touched by this commit (3) | |
Log message:
Update to version 5.6.2.
Changes:
5.6.2:
This maintenance release features 5 bug fixes. These bugs affect WordPress \
version 5.6.1.
WordPress Core changes on Trac:
- #52440: Prevent the "Leave site" browser alert in Classic Editor \
when post title, excerpt, or post content fields are missing.
- #52018: Avoid a fatal error in PHP 8.0 when the "zip" PHP extension \
is disabled.
Block editor changes from GitHub and Trac:
- #52396: Image options are not visible in pop up when the clicking replace \
button from Image block.
- #52449: Can't change font size the 5.6.1 paragraph block.
- GH-26583: Restore block preview within the block inserter.
5.6.1:
This maintenance release features 20 bug fixes as well as 7 issues fixed on the \
block editor. These bugs affect WordPress version 5.6
WordPress Core changes on Trac:
- #51056: Fetch_feed parsing of permalinks triggers simplepie preg_match warnings
- #52327: Requested updates to the PHP Update Alert
- #51940: The schema for the taxonomy property of a term in the REST API should \
not include all taxonomies
- #51980: App Passwords: ‘Add New Application Password’ submit button is \
hidden on mobile devices in ‘User Profile’ page
- #51995: WordPress 5.6: Classic editor menu is not sticky
- #52003: Undefined index: PHP_AUTH_PW /wp-includes/user.php on line 469
- #52013: Duplicate wp_authorize_application_password_form actions
- #52030: Media metaboxes return fatal error if no author metadata present
- #52038: Issue in WooCommerce with wp_editor() after update to WP 5.6
- #52046: The Distraction Free Writing setting on the old Edit Post screen may \
be reset after page reload
- #52065: Media gallery: ‘Align’ and ‘Link To’ fields missing from \
‘Insert from URL’
- #52066: Application Passwords are unusable in combination with password \
protected /wp-admin
- #52075: Word Count on Classic Editor doesn’t update in real time on Firefox \
unless saved
- #52097: Site Health Loopback Test doesn’t send admin cookies
- #52135: False positive on `WP_Site_Health_Auto_Updates`
- #52196: wp_get_attachment_metadata() is broken if no first argument is passed in.
- #52205: REST API: Plugins Controller single plugin route fatal errors on multisite
- #52299: Exported user data can be listed with directory listing
- #52351: missing echo function for translate method
- #52391: Gutenberg Updates for 5.6.1
Block editor changes from GitHub:
- #27970: Fix editor crash when registering a block pattern without categories
- #27733: Embed block: Add html and reusable support back
- #27727: Add aria labels to box control component inputs/button
- #27627: HTML Block: Fix editor styles
- #27526: Core Data: Normalize _fields value for use in stableKey
- #26705: Fix: Font size picker does not correctly handles big font sizes.
- #26432: Edit Site: prevent inserter overscroll
|
2020-12-11 19:09:09 by Daniel Horecki | Files touched by this commit (3) |
Log message:
Update to Wordpress 5.6.
List of changes is here: https://wordpress.org/support/wordpress-version/version-5-6/
|
2020-11-01 16:06:09 by Daniel Horecki | Files touched by this commit (2) | |
Log message:
Security and maintenance update to version 5.5.3.
5.5.3:
This maintenance release fixes an issue introduced in WordPress 5.5.2
which makes it impossible to install WordPress on a brand new website
that does not have an existing database connection configuration.
This release does not affect sites where a database connection is
already configured, for example, via one-click installers or
an existing wp-config.php file.
5.5.2:
Security updates:
- Props to Alex Concha of the WordPress Security Team for their work in \
hardening deserialization requests.
- Props to David Binovec on a fix to disable spam embeds from disabled sites on \
a multisite network.
- Thanks to Marc Montas from Sucuri for reporting an issue that could lead to \
XSS from global variables.
- Thanks to Justin Tran who reported an issue surrounding privilege escalation \
in XML-RPC. He also found and disclosed an issue around privilege escalation \
around post commenting via XML-RPC.
- Props to Omar Ganiev who reported a method where a DoS attack could lead to RCE.
- Thanks to Karim El Ouerghemmi from RIPS who disclosed a method to store XSS in \
post slugs.
- Thanks to Slavco for reporting, and confirmation from Karim El Ouerghemmi, a \
method to bypass protected meta that could lead to arbitrary file deletion.
- And a special thanks to @zieladam who was integral in many of the releases and \
patches during this release.
Maintenance updates:
#51130 Events displayed in venue timezone instead of user’s
#51659 Update Gutenberg Dependencies for WordPress 5.5.2
#50861 Remove Facebook and Instagram as an oEmbed Source
#50903 Set the local environment to a development environment type by default
#50949 Posts show wrong time when user is in a different time zone than the site’s
#51053 Video Embeds set to align left disappear in Gutenberg editor
#51175 Wrong reply box title
#51219 Theme editor page showing undefined variable notice
#51251 Fix PHP notice when opening the edit image popup
#51263 PHP warning when editing comments in the administration comment edit screen
#51320 PHP Notice while moving post to trash (post_type has 2 registered \
taxonomies both with default_term set)
#51400 Undefined index during automatic plugin/theme updates
#51595 Unable to make anonymous comments via XML-RPC
#51645 Undefined index: echo in core files
|
2020-09-19 14:29:16 by Daniel Horecki | Files touched by this commit (3) | |
Log message:
Update to wordpress 5.5.1.
Changes:
5.5:
- lazy-loaded images
- new sitemap
- autoupdate of plugins and themes
- block editor:
- block patterns
- block directory
- inline image editing
5.5.1:
WordPress Core changes on Trac:
#50882 - Administration: WP 5.5: Cannot attribute content when deleting users
#50998 - Quick/Bulk Edit: Editing posts using bottom "Bulk actions" \
dropdown menu doesn't work
#38009 - Comments: #reply-title.comment-reply-title not updating when replying \
to an individual
#50845 - Editor: Block patterns: Fix translatable strings (take 2)
#50858 - Site Health: Check PHP notices with site_status_tests filter
#50887 - Site Health: Add site environment to debug information
#50892 - Editor: Some block patterns have text contrast issues with dark themes
#50910 - Sitemaps: 5.5 Sitemap URLs are incorrectly paginated
#50912 - Site Health: flags define WP_AUTO_UPDATE_CORE value as an error
#50919 - Script Loader: Change the jquery handle back to an alias for jquery-core
#50933 - Media: Lazy loading in 5.5 causes flashing of custom logo in Firefox
#50945 - Site Health: don't give a warning when upload_max_size is lower than \
max_post_size
#50988 - Upgrade/Install: Pass details about the specific plugin and theme \
updates attempted to filters
#50992 - Bootstrap/Load: Remove the ability to alter the list of environment \
types in wp_get_environment_type()
#50999 - Script Loader: Disable concatenation for scripts with translations to \
ensure they are printed in the right order
#51011 - Upgrade/Install: Empty string comparison on home option during DB \
upgrades is invalid
#51018 - Editor: PHP Notice thrown when searching for certain terms via the \
Gutenberg block directory
#51151 - Editor: Packages update
#51021 - REST API: Permit uniqueItems keyword in endpoint args
#51146 - REST API: Fix multi-type schemas with integer fields
#51029 - Filesystem API: Typo in variable name causes warning from fclose()
#51042 - Post: missing excerpt
#51050 - Docs: Add docblock for get_the_archive_title() filter
#51052 - Administration: Undefined index: update-supported
#51060 - Docs: Update register_rest_route docblock to reflect additions since 5.5
#51064 - Bootstrap/Load: Consider adding "local" as environment on \
WP_ENVIRONMENT_TYPE
#51073 - Administration: Extra padding below the admin bar
#51075 - Docs: Update docs for custom logo functions
#51122 - Docs: add a mention about the use of loading attribute in \
wp_get_attachment_image function
#51127 - UI/CSS: Remove non-color related styling from Modern color scheme
#51129 - Upgrade/Install: Only display the auto-update links on the Network \
Admin > Themes screen for themes that support the feature
#51337 - Template: wp_terms_checklist not checking selected taxonomy items with \
selected_cats option
#51184 - get_the_date() checks $format only for empty variable and fails on \
false boolean
#51182 - Theme_Installer_skin::do_overwrite does not work on a Windows server
#38009 - #reply-title.comment-reply-title not updating when replying to an individual
#51123 - commonL10n and other JS globals removed without backwards compatibility
#50848 - Clarify the usage of null for auto_update_{$type} filter
#51081 - Fatal Error - Undefined get_page_templates() in Customizer
#51154 - sitemaps should be initialized before each test is run
#51028 - Dot should be out of the quotes
Block editor changes from GitHub:
PR24609 - Fix missing selected block highlighting in list view
PR24599 - Fix specificity for buttons with outline style and background colors
PR24533 - Fix incorrect aria description in List View
PR24516 - Fix regression bug for category select in QueryControls component
PR24478 - Fix tiny editor preview when using Mobile or Tablet options with \
metaboxes enabled
|
2020-06-21 21:02:31 by Daniel Horecki | Files touched by this commit (3) | |
Log message:
Security and maintenance update to Wordpress 5.4.2.
Changes:
WordPress versions 5.4 and earlier are affected by the following bugs, which are \
fixed in version 5.4.2. If you haven’t yet updated to 5.4, there are also \
updated versions of 5.3 and earlier that fix the security issues.
- Props to Sam Thomas (jazzy2fives) for finding an XSS issue where authenticated \
users with low privileges are able to add JavaScript to posts in the block \
editor.
- Props to Luigi – (gubello.me) for discovering an XSS issue where \
authenticated users with upload permissions are able to add JavaScript to media \
files.
- Props to Ben Bidner of the WordPress Security Team for finding an open \
redirect issue in wp_validate_redirect().
- Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme uploads.
- Props to Simon Scannell of RIPS Technologies for finding an issue where \
set-screen-option can be misused by plugins leading to privilege escalation.
- Props to Carolina Nymark for discovering an issue where comments from \
password-protected posts and pages could be displayed under certain conditions.
Thank you to all of the reporters for privately disclosing the vulnerabilities. \
This gave the security team time to fix the vulnerabilities before WordPress \
sites could be attacked.
More details on \
https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
|
2020-05-03 14:00:03 by Daniel Horecki | Files touched by this commit (3) | |
Log message:
Update to version 5.4.1.
Changes for 5.4:
Too much to include here, visit \
https://wordpress.org/support/wordpress-version/version-5-4/
Changes for 5.4.1:
Six security issues affect WordPress versions 5.4 and earlier; version 5.4.1 \
fixes them, so you’ll want to upgrade. If you haven’t yet updated to 5.4, \
there are also updated versions of 5.3 and earlier that fix the security issues.
- Props to Muaz Bin Abdus Sattar and Jannes who both independently reported an \
issue where password reset tokens were not properly invalidated
- Props to ka1n4t for finding an issue where certain private posts can be viewed \
unauthenticated
- Props to Evan Ricafort for discovering an XSS issue in the Customizer
- Props to Ben Bidner from the WordPress Security Team who discovered an XSS \
issue in the search block
- Props to Nick Daugherty from WPVIP.com / WordPress Security Team who \
discovered an XSS issue in wp-object-cache
- Props to Ronnie Goodrich (Kahoots) and Jason Medeiros who independently \
reported an XSS issue in file uploads.
- Additionally, an authenticated XSS issue in the block editor was discovered by \
Nguyen the Duc in WordPress 5.4 RC1 and RC2. It was fixed in 5.4 RC5. We wanted \
to be sure to give credit and thank them for all of their work in making \
WordPress more secure.
WordPress 5.4.1 also fixes some regressions introduced in version 5.4:
#49838 – Accessibility: Fix the headings hierarchy on the Freedoms page
#49798 – Customize: Give the WordPress logo a white background for dark mode \
browsers
#49853 – Mail: Make the check for empty post title in wp-mail.php more resilient
#49753 – Media: Remove display: none; from the (visually hidden) <input \
type="file"> button used in Plupload to select files for uploading. \
Fixes selecting files in Edge <= 44 and iOS Safari
#49772 – Privacy: Support additional elements (table, ol, ul) in privacy \
policy guide new styling
#49802 – Privacy: Make the deprecated wp_get_user_request_data() function \
available on front end
#49645 – REST API: Fix revisions controller get_item permission check
#49648 – REST API: Fix _fields filtering of registered rest fields
#49824 – Site Health: Instantiation prevents use of some hooks by plugins
#49759 – Taxonomy: Un-deprecate category_link and tag_link filters
#49974 – Block Editor updates
|
2020-02-23 10:59:42 by Daniel Horecki | Files touched by this commit (3) | |
Log message:
Update to version 5.3.2.
Changes:
Version 5.3.2:
Maintenance updates
- Date/Time: Ensure that get_feed_build_date() correctly handles a modified post \
object with invalid date.
- Uploads: Fix file name collision in wp_unique_filename() when uploading a file \
with upper case extension on non case-sensitive file systems.
- Media: Fix PHP warnings in wp_unique_filename() when the destination directory \
is unreadable.
- Administration: Fix the colors in all color schemes for buttons with the \
.active class.
- Tests/build tools: In wp_insert_post(), when checking the post date to set \
future or publish status, use a proper delta comparison.
Version 5.3.1:
Security fixes
- Props to Daniel Bachhuber for finding an issue where an unprivileged user \
could make a post sticky via the REST API.
- Props to Simon Scannell of RIPS Technologies for finding and disclosing an \
issue where cross-site scripting (XSS) could be stored in well-crafted links.
- Props to the WordPress.org Security Team for hardening wp_kses_bad_protocol() \
to ensure that it is aware of the named colon attribute.
- Props to Nguyen The Duc for discovering a stored XSS vulnerability using block \
editor content.
Maintenance updates
- Administration: improvements to admin form controls height and alignment \
standardization (see related dev note), dashboard widget links accessibility and \
alternate color scheme readability issues (see related dev note).
- Block editor: fix Edge scrolling issues and intermittent JavaScript issues.
- Bundled themes: add customizer option to show/hide author bio, replace JS \
based smooth scroll with CSS (see related dev note) and fix Instagram embed CSS.
- Date/time: improve non-GMT dates calculation, fix date format output in \
specific languages and make get_permalink() more resilient against PHP timezone \
changes.
- Embeds: remove CollegeHumor oEmbed provider as the service doesn’t exist anymore.
- External libraries: update sodium_compat.
- Site health: allow the remind interval for the admin email verification to be \
filtered.
- Uploads: avoid thumbnails overwriting other uploads when filename matches, and \
exclude PNG images from scaling after upload.
- Users: ensure administration email verification uses the user’s locale \
instead of the site locale.
|