WordPress 5.0 Beta 3 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site to play with the new version.

There are two ways to test the WordPress 5.0 Beta: try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”), or you can download the beta here (zip).

WordPress 5.0 is slated for release on November 19, and we need your help to get there. Here are some of the big issues that we’ve fixed since Beta 2:

Block Editor

The block editor has been updated to include all of the features and bug fixes from the upcoming Gutenberg 4.2 release. Additionally, there are some newer bug fixes and features, such as:

  • Adding support for the “Custom Fields” meta box.
  • Improving the reliability of REST API requests.
  • A myriad of minor tweaks and improvements.

Twenty Nineteen

Twenty Nineteen has been updated from its GitHub repository, this version is full of new goodies to check out:

  • Adds support for Selective Refresh Widgets in the Customiser.
  • Adds support for Responsive Embeds.
  • Tweaks to improve readability and functionality on mobile devices.
  • Fixes nested blocks appearing wider than they should be.
  • Fixes some errors in older PHP versions, and in IE11.

How to Help

Do you speak a language other than English? Help us translate WordPress into more than 100 languages! 

If you’re able to contribute with coding or testing changes, we have a multitude of bug scrubs scheduled this week, we’d love to have as many people as we can ensuring all bugs reported get the attention they deserve.

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.


WordPress Five Point Oh
is just two short weeks away.
Thank you for helping!
💖

WordPress 5.0 Beta 2 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site to play with the new version.

There are two ways to test the WordPress 5.0 Beta: try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”), or you can download the beta here (zip).

WordPress 5.0 is slated for release on November 19, and we need your help to get there. Here are some of the big issues that we fixed since Beta 1:

Block Editor

We’ve updated to the latest version of the block editor from the Gutenberg plugin, which includes the new Format API, embedding improvements, and a variety of bug fixes.

Meta boxes had a few bugs, and they weren’t showing at all in the block editor, so we’ve fixed and polished there.

Internationalisation

We’ve added support for registering and loading JavaScript translation files.

Twenty Nineteen

The Twenty Nineteen repository is a hive of activity, there have been a stack of minor bugs clean up, and some notable additions:

  • There’s now a widget area in the page footer.
  • Navigation submenus have been implemented for mobile devices.
  • Customiser options have been added for changing the theme colours and feature image filters.

Everything Else

The REST API has a couple of bug fixes and performance improvements. PHP 7.3 compatibility has been improved.


We’re fixing the bugs:
All the ones you’ve reported.
Some that we’ve found, too.

WordPress 5.0 Beta 1 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site to play with the new version, and if you are using an existing test site be sure to update the Gutenberg plugin to v4.1.

There are two ways to test the WordPress 5.0 beta: try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”), or you can download the beta here (zip).

WordPress 5.0 is slated for release on November 19, and we need your help to get there. Here are some of the big items to test so we can find as many bugs as possible in the coming weeks.

The Block Editor

The new Gutenberg block editor is now the default post editor!

The block editor provides a modern, media-rich editing experience. You can create flexible, beautiful content without writing a single line of code, or you can dive into the modern programming APIs that the block editor provides.

Even before you install WordPress 5.0, you can try the block editor here.

Of course, we recognise you might not be ready for this change quite yet. If that’s the case, you can install the Classic Editor plugin now, which will keep the editor you’re familiar with as the default, even after you upgrade to WordPress 5.0.

Twenty Nineteen

Along with the new block editor, we have a new default theme, called Twenty Nineteen, which takes advantage of the new features the block editor provides.

You can read more about Twenty Nineteen in its introduction post, and follow along with development over on the GitHub repository.

Default Themes

Of course, we couldn’t release a beautiful new default theme, and leave all of our old ones behind. All the way back to Twenty Ten, we’ve updated every default them to look good in the new block editor.

How to Help

Do you speak a language other than English? Help us translate WordPress into more than 100 languages! A known issue: the block autocompleter fails for blocks whose names contain characters in non-Latin scripts. Adding blocks via the plus sign works, and this bug is fixed in the Gutenberg 4.1 plugin. 🙂

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.


Minor bug fixes
Add up one by one by one
Then you change the world

WordPress 4.8.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Anthony Ferrara.

This release includes a change in behaviour for the esc_sql() function. Most developers will not be affected by this change, you can read more details in the developer note.

Thank you to the reporter of this issue for practicing responsible disclosure.

Download WordPress 4.8.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.8.3.

WordPress 4.2.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team.

We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.3 also contains fixes for 20 bugs from 4.2. For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.3.

Thanks to everyone who contributed to 4.2.3:

Aaron Jorbin, Andrew Nacin, Andrew Ozz, Boone Gorges, Chris Christoff, Dion Hulse, Dominik Schilling, Ella Iseulde Van Dorpe, Gabriel Pérez, Gary Pendergast, Mike Adams, Robert Chapin, Nikolay Bachiyski, Ross Wintle, and Scott Taylor.

WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnönen.

WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.

For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.1 or venture over to Dashboard → Updates and simply click “Update Now”.

WordPress 4.1.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams, and Andrew Nacin of the WordPress security team.

We also fixed three other security issues:

  • In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
  • In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
  • Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.

We also made four hardening changes, discovered by J.D. Grimes, Divyesh Prajapati, Allan Collins and Marc-Alexandre Montpas.

We appreciated the responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.

Download WordPress 4.1.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.1.2.

Thanks to everyone who contributed to 4.1.2: Allan Collins, Alex Concha, Andrew Nacin, Andrew Ozz, Ben Bidner, Boone Gorges, Dion Hulse, Dominik Schilling, Drew Jaynes, Gary Pendergast, Helen Hou-Sandí, John Blackburn and Mike Adams.

A number of plugins also released security fixes yesterday. Keep everything updated to stay secure. If you’re a plugin author, please read this post to confirm that your plugin is not affected by the same issue. Thank you to all of the plugin authors who worked closely with our security team to ensure a coordinated response.

Already testing WordPress 4.2? The third release candidate is now available (zip) and it contains these fixes. For more on 4.2, see the RC 1 announcement post.