WordPress 4.9.7

WordPress 4.9.7 is now available. This maintenance and security release fixes 17 bugs.

Download WordPress 4.9.7 or visit Dashboard → Updates and click “Update Now”. Sites that support automatic background updates are already beginning to update automatically.

Thank you to everyone who contributed to WordPress 4.9.7:

1naveengiriAaron JorbinabdullahramzanalejandroxlopezAndrew OzzArunBirgir Erlendsson (birgire)BjornWBoone GorgesBrandon KraftChetan PrajapatiDavid HerreraFelix ArntzGarethIan DunnibelangerJohn BlackbournJonathan Desrosiers, JoykhaihonglbenicioLeander IversenmermelmetalandcoffeeMigrated to @jeffpaul, palmiakSergey BiryukovskoldinSubrata SarkarTowhidul Islamwarmlaundry, and YuriV.

WordPress versions 4.9.6 and earlier are affected by a file deletion issue where a user with the capability to edit and delete media files could potentially manipulate media metadata to attempt to delete files outside the uploads directory.

Thank you to Slavco for reporting the original issue and Matt Barry for reporting related issues.

Other highlights of 4.9.7 include:

  • TaxonomyTaxonomy A taxonomy is a way to group things together. In WordPress, some common taxonomies are category, link, tag, or post format. https://codex.wordpress.org/Taxonomies#Default_Taxonomies.: Improve cache handling for term queries.
  • Posts, Post Types: Clear post password cookie when logging out.
  • Widgets: Allow basic HTMLHTML HyperText Markup Language. The semantic scripting language primarily used for outputting content in web browsers. tags in sidebarSidebar A sidebar in WordPress is referred to a widget-ready area used by WordPress themes to display information that is not a part of the main content. It is not always a vertical column on the side. It can be a horizontal rectangle below or above the content area, footer, header, or any where in the theme. descriptions on Widgets adminadmin (and super admin) screen.
  • Community Events Dashboard: Always show the nearest WordCampWordCamp WordCamps are casual, locally-organized conferences covering everything related to WordPress. They're one of the places where the WordPress community comes together to teach one another what they’ve learned throughout the year and share the joy. Learn more. if one is coming up, even if there are multiple Meetups happening first.
  • Privacy: Make sure default privacy policy content does not cause a fatal error when flushing rewrite rules outside of the admin context.

You can see the full list of changes in TracTrac An open source project by Edgewall Software that serves as a bug tracker and project management tool for WordPress..

The previously scheduled 4.9.7 is now referred to as 4.9.8, and will follow the release schedule posted yesterday.

#minor-releases, #security

Disclosure of Additional Security Fix in WordPress 4.7.2

WordPress 4.7.2 was released last Thursday, January 26th. If you have not already updated, please do so immediately.

In addition to the three security vulnerabilities mentioned in the original release post, WordPress 4.7 and 4.7.1 had one additional vulnerability for which disclosure was delayed. There was an Unauthenticated Privilege Escalation Vulnerability in a REST APIREST API The REST API is an acronym for the RESTful Application Program Interface (API) that uses HTTP requests to GET, PUT, POST and DELETE data. It is how the front end of an application (think “phone app” or “website”) can communicate with the data store (think “database” or “file system”) https://developer.wordpress.org/rest-api/. Endpoint. Previous versions of WordPress, even with the REST API PluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party, were never vulnerable to this.

We believe transparency is in the public’s best interest. It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites.

On January 20th, Sucuri alerted us to a vulnerability discovered by one of their security researchers, Marc-Alexandre Montpas. The security team began assessing the issue and working on solutions. While a first iteration of a fix was created early on, the team felt that more testing was needed.

Meanwhile, Sucuri added rules to their Web Application Firewall (WAF) to blockBlock Block is the abstract term used to describe units of markup that, composed together, form the content or layout of a webpage using the WordPress editor. The idea combines concepts of what in the past may have achieved with shortcodes, custom HTML, and embed discovery into a single consistent API and user experience. exploit attempts against their clients. This issue was found internally and no outside attempts were discovered by Sucuri.

Over the weekend, we reached out to several other companies with WAFs including SiteLock, Cloudflare, and Incapsula and worked with them to create a set of rules that could protect more users. By Monday, they had put rules in place and were regularly checking for exploit attempts in the wild.

On Monday, while we continued to test and refine the fix, our focus shifted to WordPress hosts. We contacted them privately with information on the vulnerability and ways to protect users. Hosts worked closely with the security team to implement protections and regularly checked for exploit attempts against their users.

By Wednesday afternoon, most of the hosts we worked with had protections in place. Data from all four WAFs and WordPress hosts showed no indication that the vulnerability had been exploited in the wild. As a result, we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public.

On Thursday, January 26, we released WordPress 4.7.2 to the world. The release went out over our autoupdate system and, over a couple of hours, millions of WordPress 4.7.x users were protected without knowing about the issue or taking any action at all.

We’d like to thank Sucuri for their responsible disclosure, as well as working with us to delay disclosure until we were confident that as many WordPress sites were updated to 4.7.2 as possible. We’d also like to thank the WAFs and hosts who worked closely with us to add additional protections and monitored their systems for attempts to use this exploit in the wild. As of today, to our knowledge, there have been no attempts to exploit this vulnerability in the wild.

#4-7, #release, #security

WordPress 3.6: Menus

For menus we’re going to try to focus on some UIUI User interface improvements. Menus work pretty well but users, especially the less-technical ones, are easily confused. We’ve seen them try to add menus without names because they see the “Create Menu” button before they see the menu name field, we’ve seen them add a bunch of menus instead of menu items because they’re unclear on the difference, etc, etc. The goal for the 3.6 cycle is to make menus a little more intuitive and user friendly.

@markjaquith and I are excited to have @lessbloat leading this. Take a look at all the user testing that has already been happening over at #23119 and make sure you comment here if you’re interested in helping out!

#3-6, #menus

WordPress 3.6: Revisions

RevisionsRevisions The WordPress revisions system stores a record of each saved draft or published update. The revision system allows you to see what changes were made in each revision by dragging a slider (or using the Next/Previous buttons). The display indicates what has changed in each revision. are an extremely powerful tool for content tracking, but there are a few parts that need a little TLC. Ever since they were first introduced, there’s been a problem with proper author attribution on revisions (see #16215), and we’re going to take a crack at fixing that in 3.6. Additionally, while the current diffs are pretty cool, and make a lot of sense to those of us that look at diffs everyday, there’s a lot of room for improvement for your average user. We’d like to see some UIUI User interface improvements around the diffs as well as information that makes more sense to an average content creator (words changed, a visual representation of what was added/removed, prettier output, etc).

@markjaquith and I chose @westi to lead this. I’m excited to see the improvements on this one! There’s a little of everything in this project, so please leave a comment if you’re interested in lending a hand.

#3-6, #revisions

WordPress 3.6: Editorial Flow

I’m really excited to see our editorial flow get some love in the 3.6 cycle! We always want to be as extensibleExtensible This is the ability to add additional functionality to the code. Plugins extend the WordPress core software. as possible and post statuses are one of those places where we’re not near as good as we should be. The plan goes something like this:

  1. Fully support the existing register_post_status() APIAPI An API or Application Programming Interface is a software intermediary that allows programs to interact with each other and share data in limited, clearly defined ways. in coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress.
    • Make sure things don’t break when you add your own custom statuses
    • Update the metaboxMetabox A post metabox is a draggable box shown on the post editing screen. Its purpose is to allow the user to select or enter information in addition to the main post content. This information should be related to the post in some way. UIUI User interface to show any newly registered statuses in the drop down, etc.
    • Add a ‘moderation’ flag so that unpublished statuses can be explicitly identified
    • Support for non-standard public post statuses
  2. Enhance the existing API
    • Add support for registering post statuses to specific post types
    • Allow for caps checks on different post statuses
    • New remove_post_status() function for removing an already-registered post status
  3. Editing workflow for already published content

Additionally, we hope to address some issues around post metaMeta Meta is a term that refers to the inside workings of a group. For us, this is the team that works on internal WordPress sites like WordCamp Central and Make WordPress. for revisionsRevisions The WordPress revisions system stores a record of each saved draft or published update. The revision system allows you to see what changes were made in each revision by dragging a slider (or using the Next/Previous buttons). The display indicates what has changed in each revision., which is tightly related to the workflow for already published content.

@markjaquith and I have chosen Daniel Bachhuber to lead this. If you’re not sure why, just Google WordPress Edit Flow and it’ll all make sense. There’s a lot of heavy-duty under the hood work here, so please leave a comment if you’re interested in lending a hand.

#3-6, #editorial-flow

WordPress 3.6: the Post Formats UI feature

Post formats is going to be a major win for 3.6. It’s one of those features that has so much potential, but it really falls short in usability and honestly we haven’t really taken the time to truly show what it can do. We’re going to re-think the adminadmin (and super admin) UIUI User interface for post formats, similar to what Alex King did with his WordPress Post Formats Admin UI pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party. The goal is to make post formats much more user friendly and then show them off with the 2013 theme.

We’ve chosen @helen as lead for this project. Helen has done some amazing stuff customizing the post screen for various projects, and we’re glad to be able to leverage that for coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress..

Anyone interested in helping with this feature, please comment to let us know. The 3.6 schedule is considerably shorter than the 3.5 schedule was, so we really need to get moving on things as quickly as possible.

#3-6, #post-formats

Team Update: Headerators

We’ve pretty much wrapped up flexible headers (#17242) for both width and height. We’re currently reviewing a patchpatch A special text file that describes changes to code, by identifying the files and lines which are added, removed, and altered. It may also be referred to as a diff. A patch can be applied to a codebase for testing. on #19840 and hope to have that finished this cycle. Our next project will be to work with Team Gandalf to help integrate flexible headers into their theme preview.

#3-4, #customize, #headerators, #team-update

Team Update – Headerators

We focused on flexible headers this cycle (#17242). We have a patchpatch A special text file that describes changes to code, by identifying the files and lines which are added, removed, and altered. It may also be referred to as a diff. A patch can be applied to a codebase for testing. that we think is ready for commit, which adds flexible height and width. We had Nacin and Mark Jaquith look at the patch, they made some recommendations that we integrated, and it seems ready to go into coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. for some testing.

You can test with the latest version of the Essence Theme on Github or see comment 48 on the ticket for information on how to add support to your own theme.

#headerators, #team-update

I was considering adding another idea to…

I was considering adding another idea to the GSoC ideas wiki, but wanted to run it by the devs here first. Basically, making the login, registration, and lost password pages fully themeable. I know some work on this was started in #11172 with the creation of wp_login_form(), but we still seem to be pretty far from letting theme authors include login.php, register.php, and/or lost-password.php theme files.

If it’s something that everyone thinks is a valid idea and a project we would like to see, I’ll try to flesh it out and add it to the wiki.

#gsoc

Core Plugin Infrastructure Update

Just a quick update on where we stand with the infrastructure for coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party development. The mailing lists are currently being used and it looks like they should be able to scale fine.

We still need a patch or plugin for Trac (https://core.trac.wordpress.org/ticket/11898) to help it handle the sheer number of plugins currently in the repository (not to mention the expected future growth). If anyone is able to help with that, please post on that ticket.

The next steps will be to rework the current layout of the plugin pages on wordpress.orgWordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/. Currently there’s a link on the adminadmin (and super admin) tab to that plugin’s Revision Log as well as the RSS feedRSS Feed RSS is an acronym for Real Simple Syndication which is a type of web feed which allows users to access updates to online content in a standardized, computer-readable format. This is the feed. for that log. That needs to be moved some place where regular users can see it. Additionally the plan is to add a way for plugin authors to request a mailing list for their plugin directly from the wordpress.org repository.

I’m excited to see all this fall into place so that we can turn the corner and see how core plugins will really shape up!

#core-plugins