WordPress 4.2.3 Security and Maintenance Release

WordPress 4.2.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team.

We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.3 also contains fixes for 20 bugs from 4.2. For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.3.

Thanks to everyone who contributed to 4.2.3:

Aaron Jorbin, Andrew Nacin, Andrew Ozz, Boone Gorges, Chris Christoff, Dion Hulse, Dominik Schilling, Ella Iseulde Van Dorpe, Gabriel Pérez, Gary Pendergast, Mike Adams, Robert Chapin, Nikolay Bachiyski, Ross Wintle, and Scott Taylor.

WordPress 4.2.1 Security Release

WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnönen.

WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.

For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.1 or venture over to Dashboard → Updates and simply click “Update Now”.

WordPress 4.2 “Powell”

Version 4.2 of WordPress, named “Powell” in honor of jazz pianist Bud Powell, is available for download or update in your WordPress dashboard. New features in 4.2 help you communicate and share, globally.


An easier way to share content

Press ThisClip it, edit it, publish it. Get familiar with the new and improved Press This. From the Tools menu, add Press This to your browser bookmark bar or your mobile device home screen. Once installed you can share your content with lightning speed. Sharing your favorite videos, images, and content has never been this fast or this easy.


Extended character support

Character support for emoji, special charactersWriting in WordPress, whatever your language, just got better. WordPress 4.2 supports a host of new characters out-of-the-box, including native Chinese, Japanese, and Korean characters, musical and mathematical symbols, and hieroglyphs.

Don’t use any of those characters? You can still have fun — emoji are now available in WordPress! Get creative and decorate your content with 💙, 🐸, 🐒, 🍕, and all the many other emoji.


Customizer theme switcher

Switch themes in the Customizer

Browse and preview your installed themes from the Customizer. Make sure the theme looks great with your content, before it debuts on your site.

Tumbr.com oEmbed example

Even more embeds

Paste links from Tumblr.com and Kickstarter and watch them magically appear right in the editor. With every release, your publishing and editing experience get closer together.

Inline plugin updates

Streamlined plugin updates

Goodbye boring loading screen, hello smooth and simple plugin updates. Click Update Now and watch the magic happen.


Under the Hood

utf8mb4 support

Database character encoding has changed from utf8 to utf8mb4, which adds support for a whole range of new 4-byte characters.

JavaScript accessibility

You can now send audible notifications to screen readers in JavaScript with wp.a11y.speak(). Pass it a string, and an update will be sent to a dedicated ARIA live notifications area.

Shared term splitting

Terms shared across multiple taxonomies will be split when one of them is updated. Find out more in the Plugin Developer Handbook.

Complex query ordering

WP_Query, WP_Comment_Query, and WP_User_Query now support complex ordering with named meta query clauses.


The Team

Drew JaynesThis release was led by Drew Jaynes, with the help of these fine individuals. There are 283 contributors with props in this release, a new high. Pull up some Bud Powell on your music service of choice, and check out some of their profiles:

@mercime, A5hleyRich, Aaron D. Campbell, Aaron Jorbin, abhishekfdd, Adam Silverstein, Ahmad Awais, Alex King, Alex Mills (Viper007Bond), Alin Marcu, Allan Collins, Andrea Fercia, Andrew Bauer, Andrew Nacin, Andrew Norcross, Andrew Ozz, Ankit Gade, Ankit K Gupta, Anton Timmermans, Aram Zucker-Scharff, ArminBraun, Ashfame, Austin Matzko, avryl, Barry Kooij, Beau Lebens, Ben Doherty (Oomph, Inc), Billy Schneider, Boone B. Gorges, Brandon Kraft, Brian Krogsgard, Brian Watson, CalEvans, carolinegeven, Casey Driscoll, Caspie, Catalin Dogaru, Chip Bennett, chipx86, ChriCo, Chris Baldelomar, Chris Olbekson, Christian Foellmann, Christopher Finke, Clifton Griffin, Code Master, Corphi, Courtney Ivey, Craig Ralston, cweiske, Daisuke Takahashi, Damian, Daniel Bachhuber, Daniel Jalkut (Red Sweater), Darin Kotter, Darren Ethier (nerrad), Daryl L. L. Houston (dllh), Dave McHale, David A. Kennedy, David Anderson, David Herrera, Davide 'Folletto' Casali, davideugenepratt, davidhamiltron, Denis de Bernardy, Derek Herman, Derek Smart, designsimply, Dion Hulse, dipesh.kakadiya, Dominik Schilling, doublesharp, DzeryCZ, Dzikri Aziz, e.mazovetskiy, Eduardo Reveles, Edward Caissie, Elio Rivero, Ella Iseulde Van Dorpe, elliottcarlson, enej, Eric Andrew Lewis, Eric Binnion, Erick Hitter, Evan Solomon, Fabien Quatravaux, fhwebcs, Florian Simeth, Frank Bueltge, Frank P. Walentynowicz, Franz Josef Kaiser, Gary Cao, Gary Jones, Gary Pendergast, Geert De Deckere, genkisan, George Stephanis, Graham Armfield, Gustavo Bordoni, hakre, Harish Chaudhari, hauvong, Helen Hou-Sandí, herbmillerjr, Hew, horike, Hugh Lashbrooke, Hugo Baeta, Ian Dunn, ianmjones, idealien, imath, Ipstenu (Mika Epstein), J.D. Grimes, Jack Lenox, James Collins, janhenckens, Jeff Farthing, Jeffrey de Wit, Jeremy Felt, Jesin A, jipmoors, Joan Artes, Joe Dolson, Joe McGill, Joel Bernerman, Joen Asmussen, John Blackbourn, John Eckman, John James Jacoby, John Levandowski, Jonathan Desrosiers, joost de keijzer, Joost de Valk, Jose Castaneda, Josh Levinson, jphase, Julio Potier, Justin Kopepasah, Justin Sternberg, Justin Watt, K.Adam White, Kailey (trepmal), Kelly Dwan, Kevin Ruscoe, Kim Parsell, Kite, Konstantin Kovshenin, Konstantin Obenland, Lance Willett, Leonard, Leonardo Giacone, Liam Gladdy, maimairel, Mako, Manny Fleurmond, marcelomazza, Marco Chiesi, Marcus Kazmierczak, Marin Atanasov, Mario Peshev, Marius (Clorith), Mark Jaquith, Mark Senff, Marko Heijnen, Matt Gibbs, Matt Martz, Matt Mullenweg, Matt Wiebe, Matt Zak, Matthew Boynes, Matthew Eppelsheimer, Matthew Haines-Young, mattyrob, Max Cutler, mehulkaklotar, Mel Choyce, meloniq, Michael Adams (mdawaffe), Michael Arestad, Michael Beckwith, michalzuber, Mike Glendinning, Mike Hansen, Mike Jordan, Mike Schinkel, MikeNGarrett, Milan Dinic, mmn-o, Mohammad Jangda, MomDad, Morgan Estes, Morpheu5, Naoko Takano, nathan_dawson, Neil Pie, Nick Halsey, nicnicnicdevos, Nikhil Vimal, ninnypants, nitkr, Nuno Morgadinho, OriginalEXE, Paresh Radadiya, Pat Hawks, Paul Bearne, Paul Schreiber, Paul Wilde, pavelevap, Payton Swick, Pete Mall, Pete Nelson, Peter Wilson, Pippin Williamson, podpirate, postpostmodern, Prasath Nadarajah, prasoon2211, Primoz Cigler, r-a-y, Rachel Baker, rahulbhangale, Rami Yushuvaev, Rastislav Lamos, Ravindra Pal Singh, Rian Rietveld, Ritesh Patel, Robert Chapin, Rodrigo Primo, Ross Wintle, Ryan Boren, Ryan Marks, sagarjadhav, samo9789, samuelsidler, Scott Grant, Scott Reilly, Scott Taylor, scott.gonzalez, ScreenfeedFr, scribu, Sean Hayes, Sergej Muller, Sergey Biryukov, sevenspark, Simon Wheatley, Siobhan, sippis, Slobodan Manic, solarissmoke, Stephane Daury, Stephanie Leary, Stephen Edgar, Steve Grunwell, stevehickeydesign, Steven Word, Takashi Irie, Takuro Hishikawa, theMikeD, thomaswm, Thorsten Frommen, Till, Timothy Jacobs, tiqbiz, tmatsuur, tmeister, Tobias Schutter, TobiasBg, tomdxw, Travis Northcutt, trishasalas, Ty Carlson, UaMV, Udit Desai, Ulrich Sossou, Veritaserum, voldemortensen, VolodymyrC, vortfu, welcher, Weston Ruter, William Earnhardt, and WordPressor.

Special thanks go to Siobhan McKeown for producing the release video and Cami Kaos for the voice-over.

Finally, thanks to all of the contributors who provided subtitles for the release video, which at last count had been translated into 30 languages!

Adrian Pop, Alin Marcu, Bagerathan Sivarajah, Besnik, Bjørn Johansen, Chantal Coolsma, cubells, Daisuke Takahashi, Diana K. Cury, DjZoNe, dyrer, Elzette Roelofse, Emre Erkan, fxbenard, TacoVerdo, Gabriel Reguly, Jenny Wong, Gary Jones, Håvard Grimelid, Joachim Jensen, Jimmy Xu, Junko Nukaga, JustinaKenan DervisevicKostas Vrouvas, Krzysztof Trynkiewicz, Luís Rodrigues, Luis Rull, Mark Thomas Gazel , Marius Jensen, matthee, Mattias Tengblad, Matúš Záhradník, Mayuko Moriyama, Michal Vittek, Milan Dinić, MrShemek, Naoko Takano, pavelevap, Peter Holme Obrestad, Petya Raykovska, Przemysław Mirota, qraczek, Rafa Poveda, Rami Yushuvaev, Rasheed Bydousi, Rhoslyn Prys, Robert Axelsen, Sergey Biryukov, Siobhan Bamber, Stephen Edgar, ک To Have داشتن, Torsten Landsiedel, Victor J. Quesada, Wolly, Xavi Ivars, Xavier Borderie

If you want to follow along or help out, check out Make WordPress and our core development blog. Thanks for choosing WordPress. See you soon for version 4.3!

WordPress 4.2 Release Candidate

The release candidate for WordPress 4.2 is now available.

We’ve made more than 140 changes since releasing Beta 4 a week and a half ago. RC means we think we’re done, but with millions of users and thousands of plugins and themes, it’s possible we’ve missed something. We hope to ship WordPress 4.2 on Wednesday, April 22, but we need your help to get there.

If you haven’t tested 4.2 yet, now is the time! (Please though, not on your live site unless you’re adventurous.)

Think you’ve found a bug? Please post to the Alpha/Beta support forum. If any known issues come up, you’ll be able to find them here.

To test WordPress 4.2 RC1, you can use the WordPress Beta Tester plugin or you can download the release candidate here (zip).

For more information about what’s new in version 4.2, check out the Beta 1, Beta 2, Beta 3, and Beta 4 blog posts.

Developers, please test your plugins and themes against WordPress 4.2 and update your plugin’s Tested up to version in the readme to 4.2 before next week. If you find compatibility problems, we never want to break things, so please be sure to post to the support forums so we can figure those out before the final release.

Be sure to follow along the core development blog, where we’ll continue to post notes for developers for 4.2.

Im-Press-ive saving
Achievement unlocked: RC
Release here we come

WordPress 4.2 Beta 4

WordPress 4.2 Beta 4 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.2, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

For more information about what’s new in version 4.2, check out the Beta 1, Beta 2, and Beta 3 blog posts. Some of the changes in Beta 4 include:

  • Incrementally improved the experience when accessing the Customizer on mobile. Please test on your mobile devices and let us know if anything seems wonky.
  • Added the ability to make admin notices dismissible. Plugin and theme authors: adding .notice and .is-dismissible as adjacent classes to your notice containers should automatically make them dismissible. Please test.
  • Fixed some reported issues with backward-compatibility issues caused by the modularization of core JS files.
  • Removed the ability to swipe the admin menu open and closed on touch devices due to reports of some issues with built-in history navigation on certain platforms.
  • Improved accessibility of the WordPress admin by adding landmark roles. Screen reader users: please test in any core admin screens.
  • Various bug fixes. We’ve made more than 90 changes in the last week.

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. Or, if you’re comfortable writing a bug report, file one on the WordPress Trac. There, you can also find a list of known bugs and everything we’ve fixed.

Dismiss notices
Customizer on mobile
RC nearly here

WordPress 4.2 Beta 3

WordPress 4.2 Beta 3 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.2, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

For more information about what’s new in version 4.2, check out the Beta 1 and Beta 2 blog posts. Some of the changes in Beta 3 include:

  • Removed Shiny Installs functionality due to concerns about the activation workflow. Please test the remaining “Shiny Updates” functionality from both the Plugins > Add New and Plugins screens to ensure in-line updating still works as well as before.
  • Fixed an issue with the Comments Quick Edit layout breaking on smaller screens. Please test on your mobile devices.
  • Improved accessibility of login screen errors. Screen reader users: please let us know if you encounter any issues.
  • Refined the emoji compatibility script to only load on the front- and back-end if the browser requires it. If you’re using a legacy web browser, please test.
  • Fixed several issues in Press This with inserted images being improperly linked to locations other than the source site. Go ahead, “press” a site with images on the page and tell us if the image links aren’t working as you’d expect.
  • Standardized the time display format in a variety of admin screens, switching to 24-hour notation where a.m. or p.m. are not specified. Please let us know if you notice you notice anything amiss!
  • Various other bug fixes. We’ve made more than 65 changes in the last week.

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. Or, if you’re comfortable writing a bug report, file one on the WordPress Trac. There, you can also find a list of known bugs and everything we’ve fixed.

Emoji loader
“Shiny Updates” still stand firm
Beta 3, please test!

WordPress 4.2 Beta 1

WordPress 4.2 Beta 1 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.2, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

4.2 is due out next month, but to get there, we need your help testing what we’ve been working on:

  • Press This has been completely revamped to make sharing content from around the web easier than ever. The new workflow is mobile friendly, and we’d love for you to try it out on all of your devices. Navigate to the Tools screen in your WordPress backend to get started (#31373).
  • Browsing and switching installed themes has been added to the Customizer to make switching faster and more convenient. We’re especially interested to know if this helps streamline the process of setting up your site (#31303).
  • The workflow for updating and installing plugins just got more intuitive with the ability to install or update in-place from the Plugins screens. Try it out and let us know what you think! (#29820)
  • If you felt like emoji were starkly missing from your content toolbox, worry no more. We’ve added emoji support nearly everywhere, even post slugs 
			</div><!-- .entry-content -->

	<footer class=