WordPress 5.3.2 Maintenance Release

WordPress 5.3.2 is now available!

This maintenance release features 5 fixes and enhancements.

WordPress 5.3.2 is a short-cycle maintenance release. The next major release will be version 5.4.

You can download WordPress 5.3.2 by clicking the button at the top of this page, or visit your Dashboard → Updates and click Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Maintenance updates

Shortly after WordPress 5.3.1 was released, a couple of high severity Trac tickets were opened. The Core team scheduled this quick maintenance release to resolve these issues.

Main issues addressed in 5.3.2:

  • Date/Time: Ensure that get_feed_build_date() correctly handles a modified post object with invalid date.
  • Uploads: Fix file name collision in wp_unique_filename() when uploading a file with upper case extension on non case-sensitive file systems.
  • Media: Fix PHP warnings in wp_unique_filename() when the destination directory is unreadable.
  • Administration: Fix the colors in all color schemes for buttons with the .active class.
  • Posts, Post Types: In wp_insert_post(), when checking the post date to set future or publish status, use a proper delta comparison.

For more information, browse the full list of changes on Trac or check out the version 5.3.2 HelpHub documentation page.

Thanks!

Thank you to everyone who contributed to WordPress 5.3.2:

Andrew Ozz, Andrey “Rarst” Savchenko, Dion hulse, eden159, Jb Audras, Kelly Dwan, Paul Biron, Sergey Biryukov, Tellyworth.

WordPress 5.3.1 Security and Maintenance Release

WordPress 5.3.1 is now available!

This security and maintenance release features 46 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.

WordPress 5.3.1 is a short-cycle maintenance release. The next major release will be version 5.4.

You can download WordPress 5.3.1 by clicking the button at the top of this page, or visit your Dashboard → Updates and click Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Security updates

Four security issues affect WordPress versions 5.3 and earlier; version 5.3.1 fixes them, so you’ll want to upgrade. If you haven’t yet updated to 5.3, there are also updated versions of 5.0 and earlier that fix the security issues.

  • Props to Daniel Bachhuber for finding an issue where an unprivileged user could make a post sticky via the REST API.
  • Props to Simon Scannell of RIPS Technologies for finding and disclosing an issue where cross-site scripting (XSS) could be stored in well-crafted links.
  • Props to the WordPress.org Security Team for hardening wp_kses_bad_protocol() to ensure that it is aware of the named colon attribute.
  • Props to Nguyen The Duc for discovering a stored XSS vulnerability using block editor content.

Maintenance updates

Here are a few of the highlights:

  • Administration: improvements to admin form controls height and alignment standardization (see related dev note), dashboard widget links accessibility and alternate color scheme readability issues (see related dev note).
  • Block editor: fix Edge scrolling issues and intermittent JavaScript issues.
  • Bundled themes: add customizer option to show/hide author bio, replace JS based smooth scroll with CSS (see related dev note) and fix Instagram embed CSS.
  • Date/time: improve non-GMT dates calculation, fix date format output in specific languages and make get_permalink() more resilient against PHP timezone changes.
  • Embeds: remove CollegeHumor oEmbed provider as the service doesn’t exist anymore.
  • External libraries: update sodium_compat.
  • Site health: allow the remind interval for the admin email verification to be filtered.
  • Uploads: avoid thumbnails overwriting other uploads when filename matches, and exclude PNG images from scaling after upload.
  • Users: ensure administration email verification uses the user’s locale instead of the site locale.

For more information, browse the full list of changes on Trac or check out the version 5.3.1 HelpHub documentation page.

Thanks!

In addition to the security researchers mentioned above, thank you to everyone who contributed to WordPress 5.3.1:

123host, acosmin, Adam Silverstein, Albert Juhé Lluveras, Alex Concha, Alex Mills, Anantajit JG, Anders Norén, andraganescu, Andrea Fercia, Andrew Duthie, Andrew Ozz, Andrey “Rarst” Savchenko, aravindajith, archon810, Ate Up With Motor, Ayesh Karunaratne, Birgir Erlendsson (birgire), Boga86, Boone Gorges, Carolina Nymark, Chetan Prajapati, Csaba (LittleBigThings), Dademaru, Daniel Bachhuber, Daniele Scasciafratte, Daniel Richards, David Baumwald, David Herrera, Dion hulse, ehtis, Ella van Durpe, epiqueras, Fabian, Felix Arntz, flaviozavan, Garrett Hyder, Glenn, Grzegorz (Greg) Ziółkowski, Grzegorz.Janoszka, Hareesh Pillai, Ian Belanger, ispreview, Jake Spurlock, James Huff, James Koster, Jarret, Jasper van der Meer, Jb Audras, jeichorn, Jer Clarke, Jeremy Felt, Jip Moors, Joe Hoyle, John James Jacoby, Jonathan Desrosiers, Jonny Harris, Joost de Valk, Jorge Costa, Joy, Juliette Reinders Folmer, justdaiv, Kelly Dwan, Kharis Sulistiyono, Kite, kyliesabra, lisota, lukaswaudentio, Maciej Mackowiak, marcelo2605, Marius L. J., Mat Lipe, mayanksonawat, Mel Choyce-Dwan, Michael Arestad, miette49, Miguel Fonseca, mihdan, Mike Auteri, Mikko Saari, Milan Petrovic, Mukesh Panchal, NextScripts, Nick Daugherty, Niels Lange, noyle, Ov3rfly, Paragon Initiative Enterprises, Paul Biron, Peter Wilson, Rachel Peter, Riad Benguella, Ricard Torres, Roland Murg, Ryan McCue, Ryan Welcher, SamuelFernandez, sathyapulse, Scott Taylor, scvleon, Sergey Biryukov, sergiomdgomes, SGr33n, simonjanin, smerriman, steevithak, Stephen Bernhardt, Stephen Edgar, Steve Dufresne, Subrata Mal, Sultan Nasir Uddin, Sybre Waaijer, Tammie Lister, Tanvirul Haque, Tellyworth, timon33, Timothy Jacobs, Timothée Brosille, tmatsuur, Tung Du, Veminom, vortfu, waleedt93, williampatton, wpgurudev, and Zack Tollman.

WordPress 5.2.4 Update

Late-breaking news on the 5.2.4 short-cycle security release that landed October 14. When we released the news post, I inadvertently missed giving props to Simon Scannell of RIPS Technologies for finding and disclosing an issue where path traversal can lead to remote code execution.

Simon has done a great deal of work on the WordPress project, and failing to mention his contributions is a huge oversight on our end.

Thank you to all of the reporters for privately disclosing vulnerabilities, which gave us time to fix them before WordPress sites could be attacked.

WordPress 5.3 “Kirk”

Album cover for WordPress 5.3 Kirk, showcasing a duotone red/cream Rahsaan Roland Kirk playing the saxophone on a red background.

Introducing our most refined user experience with the improved block editor in WordPress 5.3! Named “Kirk” in honour of jazz multi-instrumentalist Rahsaan Roland Kirk, the latest and greatest version of WordPress is available for download or update in your dashboard.

5.3 expands and refines the block editor with more intuitive interactions and improved accessibility. New features in the editor increase design freedoms, provide additional layout options and style variations to allow designers more control over the look of a site.

This release also introduces the Twenty Twenty theme giving the user more design flexibility and integration with the block editor. Creating beautiful web pages and advanced layouts has never been easier.


Block Editor Improvements

This enhancement-focused update introduces over 150 new features and usability improvements, including improved large image support for uploading non-optimized, high-resolution pictures taken from your smartphone or other high-quality cameras. Combined with larger default image sizes, pictures always look their best.

Accessibility improvements include the integration of block editor styles in the admin interface. These improved styles fix many accessibility issues: color contrast on form fields and buttons, consistency between editor and admin interfaces, new snackbar notices, standardizing to the default WordPress color scheme, and the introduction of Motion to make interacting with your blocks feel swift and natural.

For people who use a keyboard to navigate the dashboard, the block editor now has a Navigation mode. This lets you jump from block to block without tabbing through every part of the block controls.


Expanded Design Flexibility

WordPress 5.3 adds even more robust tools for creating amazing designs.

  • The new Group block lets you easily divide your page into colorful sections.
  • The Columns block now supports fixed column widths.
  • The new predefined layouts make it a cinch to arrange content into advanced designs.
  • Heading blocks now offer controls for text and background color.
  • Additional style options allow you to set your preferred style for any block that supports this feature.

Introducing Twenty Twenty

A desktop preview of the Twenty Twenty theme, showing both the front-end and the editor view.
A mobile image of the Twenty Twenty  theme, over a decorative backgorund of brown-grey bars.

As the block editor celebrates its first birthday, we are proud that Twenty Twenty is designed with flexibility at its core. Show off your services or products with a combination of columns, groups, and media blocks. Set your content to wide or full alignment for dynamic and engaging layouts. Or let your thoughts be the star with a centered content column!

As befits a theme called Twenty Twenty, clarity and readability is also a big focus. The theme includes the typeface Inter, designed by Rasmus Andersson. Inter comes in a Variable Font version, a first for default themes, which keeps load times short by containing all weights and styles of Inter in just two font files.


Improvements for Everyone

An icon showing an arrow rotating a square.

Automatic Image Rotation

Your images will be correctly rotated upon upload according to the embedded orientation data. This feature was first proposed nine years ago and made possible through the perseverance of many dedicated contributors.

A plus in a square, indicating health.

Improved Site Health Checks

The improvements introduced in 5.3 make it even easier to identify issues. Expanded recommendations highlight areas that may need troubleshooting on your site from the Health Check screen.

A email icon.

Admin Email Verification

You’ll now be periodically asked to confirm that your admin email address is up to date when you log in as an administrator. This reduces the chance of getting locked out of your site if you change your email address.


For Developers

Date/Time Component Fixes

Developers can now work with dates and timezones in a more reliable way. Date and time functionality has received a number of new API functions for unified timezone retrieval and PHP interoperability, as well as many bug fixes.

PHP 7.4 Compatibility

WordPress 5.3 aims to fully support PHP 7.4. This release contains multiple changes to remove deprecated functionality and ensure compatibility. WordPress continues to encourage all users to run the latest and greatest versions of PHP.

The Squad

This release was led by Matt MullenwegFrancesca Marano, and David Baumwald. They were enthusiastically supported by a large release squad:

The squad was joined throughout the twelve week release cycle by 645 generous volunteer contributors (our largest group of contributors to date) who collectively fixed 658 bugs.

Put on a Rahsaan Roland Kirk playlist, click that update button, and check the profiles of the fine folks that helped:

123host, 1994rstefan, 5hel2l2y, @irsdl, Aaron D. Campbell, Aaron Jorbin, Aashish S, Abhijit Rakas, abrightclearweb, acalfieri, acosmin, Adam Silverstein, Adam Soucie, Adhitya Rachman, ahdeubzer, Ahmad Awais, Ajay Ghaghretiya, Ajit Bohra, ajlende, Akira Tachibana, albertomake, Alex Concha, Alex Dimitrov, Alex Lion, Alex Sanford, Alexander Botteram, Alexandre D'Eschambeault, Alexandru Vornicescu, alexeyskr, alextran, Ali Ayubi, allancole, Allen Snook, Alvaro Gois dos Santos, Amanda Rush, amolv, Anders Norén, Andrea Fercia, Andrea Gandino, Andrea Grillo, Andrea Middleton, Andreas Brain, Andrei Draganescu, Andrew Duthie, Andrew Nacin, Andrew Nevins, Andrew Ozz, Andrew Taylor, Andrey Savchenko, Andrés Maneiro, Andy Fragen, Andy Meerwaldt, Angela Gibson, Anh Tran, anischarolia, Anthony Burchell, Anton Timmermans, Apermo, Arafat Rahman, arena, Ari Stathopoulos, Arun Sathiya, Asad, asadkn, Ashar Irfan, ashwinpc, Aslam Shekh, atlasmahesh, au87, Aubrey Portwood, augustuswm, Aurooba Ahmed, Avina Patel, Axel DUCORON, Ayesh Karunaratne, backermann1978, Bartosz Romanowski, Bego Mario Garde, Benjamin Intal, Benjamin Zekavica, bennemann, bgermann, Bhaktii Rajdev, bibliofille, Biranit, Birgir Erlendsson, bitcomplex, BjornW, boblinthorst, Boone Gorges, Boro Sitnikovski, Bradley Jacobs, Bradley Taylor, Brandon Kraft, Brent Swisher, Bronson Quick, bsetiawan88, Burhan Nasir, Carlos Bravo, Carolina Nymark, Catalin Dogaru, Cathi Bosco, Chandra Patel, Charlie Merland, Chetan Prajapati, Chetan Satasiya, Chico, Chintan hingrajiya, ChriCo, Chris Aprea, Chris Van Patten, Christian Chung, Christian Wach, christianoliff, Christoph Herr, cleancoded, cmagrin, codesue, CompileNix, Corey Salzano, courtney0burton, Cristiano Zanca, Csaba (LittleBigThings), D.S. Webster, daleharrison, Dan Foley, Dan Jones, DanBUK, Daniel Bachhuber, Daniel Jalkut (Red Sweater), Daniel James, Daniel Llewellyn, Daniel Richards, danieliser, daniloercoli, Danny van Kooten, Darren Ethier, darthhexx, Dave Parker, Dave Smith, Dave Whitley, davetgreen, David Aguilera, David Anderson, David Binovec, David Binovec, David Decker, David Herrera, David Rozando, David Shanske, daxelrod, Debabrata Karfa, Deni, Denis Cherniavsky, Denis Yanchevskiy, Dennis, Dennis Hipp, Dennis Snell, Derek Sifford, derweili, dfangstrom, Dharmin Shah, Dhaval kasavala, dhuyvetter, Diane Co, DiedeExterkate, Diego La Monica, digitalapps, Dilip Bheda, Dima, dingo-d, Dion Hulse, Dixita Dusara, Dominik Schilling, Drew Jaynes, Dukex, dushanthi, EcoTechie, Edi Amin, Eduardo Toledo, Ella van Durpe, Elliot Condon, Emerson Maningo, Emil Dotsev, Emil Uzelac, Enrique Piqueras, Enrique Sánchez, erikkroes, estelaris, evalarumbe, faazshift, Fabian Kägy, fblaser, Felipe Elia, Felix Arntz, Fencer04, flipkeijzer, Florian TIAR, Foysal Remon, Gal Baras, Garrett Hyder, Garth Mortensen, Gary Jones, Gary Pendergast, Gaurang Dabhi, Gennady Kovshenin, Gesundheit Bewegt GmbH, ghoul, girlieworks, glauberglauber, Glenn, GravityView, gregsullivan, Grzegorz Ziółkowski, gwwar, Hardeep Asrani, Hardik Thakkar, hardipparmar, Hareesh Pillai, Hareesh Pillai, harryfear, harshbarach, haszari, He Yifei, Helen Hou-Sandi, Henry Wright, herbmiller, herregroen, hirofumi2012, HKandulla, Howdy_McGee, hoythan, Hugh Lashbrooke, hypest, Ian Belanger, Ian Dunn, ianmjones, Igor Zinovyev, imath, Imran Sayed, intimez, Ipstenu (Mika Epstein), iqbalbary, Irene Strikkers, Isabel Brison, Ismail El Korchi, J.D. Grimes, jagirbaheshwp, Jake Spurlock, Jalpa Panchal, James Nylen, jameslnewell, janak Kaneriya, Janki Moradiya, janw.oostendorp, jared_smith, jarocks, Jarret, jave.web, javorszky, Jay Swadas, Jaydip, Jean-Baptiste Audras, Jeff Farthing, Jeff Paul, jeichorn, Jen Miller, jenkoian, Jeremy Felt, Jesper van Engelen, Jessica Lyschik, jffng, jikamens, jitendrabanjara1991, jkitchen, jmmathc, joakimsilfverberg, Job, jodamo5, Joe Dolson, Joe Hoyle, Joe McGill, Joen Asmussen, John Blackbourn, John James Jacoby, John Regan, jojotjebaby, Jonathan Champ, Jonathan Davis, Jonathan Desrosiers, Jonathan Goldford, Jonny Harris, Jono Alderson, Joost de Valk, Jorge Bernal, Jorge Costa, Joseph Scott, Josepha Haden, Josh Pollock, Joshua Noyce, JoshuaWold, Joy, jsnajdr, Juanfra Aldasoro, Juhi Patel, Juliette Reinders Folmer, Julio Potier, junktrunk, Justin Ahinon, Justin Tadlock, K. Adam White, kafleg, Kailey (trepmal), Kakshak Kalaria, Kamran Khorsandi, karlgroves, katielgc, kbrownkd, Kelly Dwan, Kelly Hoffman, Kerfred, kero, ketanumretiya030, kevIN kovaDIA, killerbishop, killua99, Kjell Reigstad, Knut Sparhell, kokers, Konstantin Obenland, Konstantinos Xenos, kuus, laurelfulford, lbenicio, leogermani, leonblade, lessbloat, Lindstromer, lllor, lordlod, LoreleiAurora, Luan Ramos, luciano-croce, luigipulcini, luisherranz, Luke, Luke Carbis, Luke Cavanagh, m1tk00, maartenleenders, Maciej Palmowski, Mahesh Waghmare, Maje Media LLC, malthert, manooweb, Manuel Augustin, Manzoor Wani, MarcGuay, Marcin Pietrzak, Marco Martins, MarcosAlexandre, Marcus Kazmierczak, marekhrabe, Marie Comet, Mario Aguiar, Mario Peshev, Marius Jensen, Mark D Wolinski, Mark Jaquith, Mark Uraine, Marko Heijnen, Martin Spatovaliyski, Martin Splitt, Marty Helmick, Mary Baum, masummdar, Mat Gargano, Mat Lipe, Mathieu Sarrasin, Matt Chowning, Matthew Boynes, Matthew Haines-Young, matthias.thiel, mattyrob, Matías Ventura, Maxime Culea, Maxime Jobin, maxme, Meet Makadia, mehidi258, Mehul Kaklotar, Mel Choyce, Melin Edomwonyi, meloniq, Michael Arestad, Michael Babker, Michael Nelson, Michael Panaga, michel.weimerskirch, Michiel Heijmans, Miguel Fonseca, Miguel Vieira, mihaiiceyro, Miina Sikk, Mikael Korpela, Mike Auteri, Mike Glendinning, Mike Hansen, Mike Jolley, Mike Reid, Mike Schroder, MikeNGarrett, Milan Dinić, Mobeen Abdullah, Mohsin Rasool, Monika Rao, Monique Dubbelman, Morgan Kay, Morten Rand-Hendriksen, Morteza Geransayeh, moto hachi ( mt8.biz ), mppfeiffer, mrmadhat, msaggiorato, mtias, Muhammad Afzal, Mukesh Panchal, munyagu, mzorz, nadir, Naveen Kharwar, Nayana Maradia, Ned Zimmerman, Neel Patel, Nextendweb, Niall Kennedy, Nick Daugherty, Nick Halsey, nicolad, Nicolas Juen, Niels de Blaauw, Niels Lange, Nikhil Chavan, nikolastoqnow, Niku Hietanen, Nilambar Sharma, Nishit Langaliya, Nitish Kaila, nmenescardi, noahtallen, notnownikki, Okamoto Hidetaka, Omaar Osmaan, Omar Reiss, onlanka, oxyc, ozmatflc, Paal Joachim Romdahl, Paragon Initiative Enterprises, Paresh Shinde, Pascal Birchler, Pascal Casier, patilvikasj, Patrick Baldwin, Paul Bearne, Paul Biron, Paul Schreiber, Paul Vincent Beigang, Pedro Mendonça, pepe, Peter Wilson, PhillipJohn, Pierre Gordon, pikamander2, Pilar Mera, Pinar Olguc, powerbuoy, Pramod Jodhani, Pratik, Pratik K. Yadav, Prem Tiwari, Presskopp, Priyank Patel, Quantumstate, Raaj Trambadia, Raam Dev, raboodesign, Rahul Vaza, Ramanan, Rami Yushuvaev, ramon fincken, RC Lations, rebasaurus, ReikoDD, Remco Tolsma, retrofox, Riad Benguella, Richard Korthuis, Riddhi Mehta, Rishabh Budhiraja, Robert Anderson, Robert Chapin, Robert Ivanov, rogueresearch, Roi Conde, Ronak Ganatra, Ronny Harbich, Roy Randolph, Roy Tanck, Ryan Boren, Ryan Kienstra, Ryan McCue, Ryan Welcher, Sébastien SERRE, samgordondev, Sami Ahmed Siddiqui, Samir Shah, Samuel Wood (Otto), Sanket Mehta, sarah semark, sarath.ar, saskak, sbardian, Scott Reilly, Sebastian Pisula, Seghir Nadir, Sergey Biryukov, Sergey Predvoditelev, sergiomdgomes, seuser, sgastard, Shady Sharaf, Shamim Hasan, Sharaz Shahid, Shashank Panchal, shawfactor, Shital Marakana, siliconforks, simono, sirreal, Sixes, Slava Abakumov, Slobodan Manic, smerriman, snapfractalpop, socalchristina, Soren Wrede, Spectacula, spenserhale, spuds10, Stanimir Stoyanov, Stefano Minoia, Stephen Bernhardt, Stephen Edgar, Steven Word, studyboi, Subrata Sarkar, Sudhir Yadav, Sultan Nasir Uddin, sun, svanhal, Swapnil V. Patil, swapnild, Sybre Waaijer, Sérgio Estêvão, Takayuki Miyauchi, Takis, Tammie Lister, tazotodua, technote, Tellyworth, Tessa Kriesel, them.es, Themezly, Thijs Hulshof, Thomas Kräftner, thomaswm, Thord D. Hedengren, Thorsten Frommen, Thrijith Thankachan, tigertech, Tim Carr, Tim Havinga, Tim Hengeveld, Timothy Jacobs, timph, tmatsuur, tmdesigned, TobiasBg, toddhalfpenny, Todor Gaidarov, Tom J Nowell, Tommy Ferry, Toni Viemerö, tonybogdanov, Tor-Bjorn Fjellner, torres126, Torsten Landsiedel, Towhidul Islam, trasweb, Travis Northcutt, travisseitler, triplejumper12, truchot, truongwp, Tugdual de Kerviler, Tung Du, Udit Desai, Ulrich, Utsav tilava, Vaishali Panchal, vbaimas, Venutius, Viktor Veljanovski, Vishal Kakadiya, vishitshah, vladlu, Vladut Ilie, vortfu, Vova Feldman, vrimill, w3rkjana, Webdados (Marco Almeida), WebMan Design | Oliver Juhas, Weston Ruter, William Earnhardt, William P. Davis, William Patton, withinboredom, worldweb, yanngarcia, Yannicki, yarnboy, yashar_hv, Yoav Farhi, yodiyo, Yui, Yvette Sonneveld, zaantar, zalak151291, Zebulan Stanphill, Česlav Przywara, Айрат Халитов 🔥, and 水野史土.

Also, many thanks to all of the community volunteers who contribute in the support forums. They answer questions from people across the world, whether they are using WordPress for the first time or since the first release. These releases are more successful for their efforts!

If you want learn more about volunteering with WordPress, check out Make WordPress or the core development blog.


Thanks for choosing WordPress!

WordPress 5.3 RC4

The fourth release candidate for WordPress 5.3 is now available!

WordPress 5.3 is currently scheduled to be released on November 12 2019, but we need your help to get there—if you haven’t tried 5.3 yet, now is the time!

There are two ways to test the WordPress 5.3 release candidate:

For details about what to expect in WordPress 5.3, please see the first,  second and third release candidate posts.

Release Candidate 4 contains three bug fixes for the new default theme, Twenty Twenty (see #48450), and addresses the following:

  • The Twemoji library has been updated from 12.1.2 to 12.1.3 (see #48293).
  • Two regressions in the Media component (see #48451 and #48453).
  • One bug in the Upload component (see #48472)
  • Five bugs in the Block Editor component (see #48502)

Plugin and Theme Developers

Please test your plugins and themes against WordPress 5.3 and update the Tested up to version in the readme to 5.3. If you find compatibility problems, please be sure to post to the support forums so we can figure those out before the final release.

The WordPress 5.3 Field Guide has also been published, which details the major changes.

A new dev note has been published since the Field Guide was released, Use of the “wp_update_attachment_metadata” filter as “upload is complete” hook. Plugin and theme authors are asked to please read this note and make any necessary adjustments to continue working well in WordPress 5.3 or share any difficulties encountered on #48451.

How to Help

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

WordPress 5.3 RC3

The third release candidate for WordPress 5.3 is now available!

WordPress 5.3 is currently scheduled to be released on November 12 2019, but we need your help to get there—if you haven’t tried 5.3 yet, now is the time!

There are two ways to test the WordPress 5.3 release candidate:

For details about what to expect in WordPress 5.3, please see the first and second release candidate posts.

Release Candidate 3 contains improvements to the new About page, bug fixes for the new default theme, Twenty Twenty (see #48450), and 9 fixes for the following bugs and regressions:

  • Four bugs in the block editor have been fixed (see #48447).
  • Three Date/Time related bugs have been fixed (see #48384).
  • A regression in date_i18n() has been fixed (see #28636).
  • An accessibility color contrast regression for primary buttons when using alternate admin color schemes was fixed (see #48396).

Plugin and Theme Developers

Please test your plugins and themes against WordPress 5.3 and update the Tested up to version in the readme to 5.3. If you find compatibility problems, please be sure to post to the support forums so we can figure those out before the final release.

The WordPress 5.3 Field Guide has also been published, which details the major changes.

How to Help

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

WordPress 5.3 Release Candidate

The first release candidate for WordPress 5.3 is now available!

This is an important milestone as we progress toward the WordPress 5.3 release date. “Release Candidate” means that the new version is ready for release, but with millions of users and thousands of plugins and themes, it’s possible something was missed. WordPress 5.3 is currently scheduled to be released on November 12, 2019, but we need your help to get there—if you haven’t tried 5.3 yet, now is the time!

There are two ways to test the WordPress 5.3 release candidate:

What’s in WordPress 5.3?

WordPress 5.3 expands and refines the Block Editor introduced in WordPress 5.0 with new blocks, more intuitive interactions, and improved accessibility. New features in the editor increase design freedoms, provide additional layout options and style variations to allow designers complete control over the look of a site.

This release also introduces the Twenty Twenty theme giving the user more design flexibility and integration with the Block Editor.

In addition, WordPress 5.3 allows developers to work with dates and timezones in a more reliable way and prepares the software to work with PHP 7.4 to be release later this year.

Plugin and Theme Developers

Please test your plugins and themes against WordPress 5.3 and update the Tested up to version in the readme file to 5.3. If you find compatibility problems, please be sure to post to the support forums so we can figure those out before the final release.

The WordPress 5.3 Field Guide will be published within the next 24 hours with a more detailed dive into the major changes.

How to Help

Do you speak a language other than English? Help us translate WordPress into more than 100 languages! This release also marks the hard string freeze point of the 5.3 release schedule.

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

WordPress 5.2.4 Security Release

WordPress 5.2.4 is now available! This security release fixes 6 security issues.

WordPress versions 5.2.3 and earlier are affected by these bugs, which are fixed in version 5.2.4. Updated versions of WordPress 5.1 and earlier are also available for any users who have not yet updated to 5.2.

Security Updates

  • Props to Evan Ricafort for finding an issue where stored XSS (cross-site scripting) could be added via the Customizer.
  • Props to J.D. Grimes who found and disclosed a method of viewing unauthenticated posts.
  • Props to Weston Ruter for finding a way to create a stored XSS to inject Javascript into style tags.
  • Props to David Newman for highlighting a method to poison the cache of JSON GET requests via the Vary: Origin header.
  • Props to Eugene Kolodenker who found a server-side request forgery in the way that URLs are validated.
  • Props to Ben Bidner of the WordPress Security Team who discovered issues related to referrer validation in the admin.

Thank you to all of the reporters for privately disclosing the vulnerabilities, which gave us time to fix them before WordPress sites could be attacked.

For more info, browse the full list of changes on Trac or check out the Version 5.2.4 documentation page.

WordPress 5.2.4 is a short-cycle security release. The next major release will be version 5.3.

You can download WordPress 5.2.4 or visit Dashboard → Updates and click Update Now. Sites that support automatic background updates have already started to update automatically.

In addition to the security researchers mentioned above, thank you to everyone who contributed to WordPress 5.2.4:

Aaron D. Campbell, darthhexx, David Binovec, Jonathan Desrosiers, Ian Dunn, Jeff Paul, Nick Daugherty, Konstantin Obenland, Peter Wilson, Sergey Biryukov, Stanimir Stoyanov, Garth Mortensen, vortfu, Weston Ruter, Jake Spurlock, and Alex Concha.

WordPress 5.3 Beta 3

WordPress 5.3 Beta 3 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site to play with the new version.

You can test the WordPress 5.3 beta in two ways:

WordPress 5.3 is slated for release on November 12, 2019, and we need your help to get there.

Thanks to the testing and feedback from everyone who tested beta 2 (and beta 1) over 60 tickets have been closed in the past week.

Some highlights

  • Fixes and enhancements in the admin interface changes introduced in previous 5.3 beta releases.
  • Wording changes in login screen (#43037).
  • Improved accessibility in media upload modal (#47149).
  • Changes in the way the new error handling with images works (#48200).
  • MediaElement.js has been updated from 4.2.6 to 4.2.13 (#46681). The script is now also being loaded in the footer again. This fixes a regression that happened two years ago, so might be worth noting (#44484).
  • Update to the REST API media endpoint to allow resuming of uploads (#47987).

In addition to these, Beta 3 landed a number of small consistency and polish changes to the REST API, including an improvement to the permissions check used when editing comments, a fix for post type controller caching edge cases, and most importantly, the ability to use the _embed parameter to access the full data for a post using the /wp/v2/search endpoint.

Developer notes

WordPress 5.3 has lots of refinements to polish the developer experience. To keep up, subscribe to the Make WordPress Core blog and pay special attention to the developer notes tag for updates on those and other changes that could affect your products.

How to Help

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac where you can also find a list of known bugs.

WordPress 5.3 Beta 2

WordPress 5.3 Beta 2 is now available!

This software is still in development, so we don’t recommend running it on a production site. Consider setting up a test site to play with the new version.

You can test the WordPress 5.3 beta in two ways:

WordPress 5.3 is slated for release on November 12, 2019, and we need your help to get there.

Thanks to the testing and feedback from everyone who tested beta 1, over 45 tickets have been closed since then.

Some highlights

  • Work continues on the block editor.
  • Bugs fixed on Twenty Twenty.
  • Accessibility bugs fixes and enhancements on the interface changes introduced with 5.3 beta 1:
    • Iterate on the admin interface
    • Reduce potential backward compatibility issues
    • Improve consistency between admin screens and the block editor
    • Better text zoom management
  • Support rel="ugc" attribute value in comments (#48022) – this particular ticket shows the WordPress project ability to integrate quick solutions to things that are changing unexpectedly – like Google new features.

Developer notes

WordPress 5.3 has lots of refinements to polish the developer experience. To keep up, subscribe to the Make WordPress Core blog and pay special attention to the developers notes for updates on those and other changes that could affect your products.

How to Help

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac where you can also find a list of known bugs.