WordPress 5.1.1 Security and Maintenance Release

WordPress 5.1.1 is now available! This security and maintenance release introduces 10 fixes and enhancements, including changes designed to help hosts prepare users for the minimum PHP version bump coming in 5.2.

This release also includes a pair of security fixes that handle how comments are filtered and then stored in the database. With a maliciously crafted comment, a WordPress post was vulnerable to cross-site scripting.

WordPress versions 5.1 and earlier are affected by these bugs, which are fixed in version 5.1.1. Updated versions of WordPress 5.0 and earlier are also available for any users who have not yet updated to 5.1.

Props to Simon Scannell of RIPS Technologies who discovered this flaw independent of some work that was being done by members of the core security team. Thank you to all of the reporters for privately disclosing the vulnerabilities, which gave us time to fix them before WordPress sites could be attacked.

Other highlights of this release include:

  • Hosts can now offer a button for their users to update PHP.
  • The recommended PHP version used by the “Update PHP” notice can now be filtered.
  • Several minor bug fixes.

You can browse the full list of changes on Trac.

WordPress 5.1.1 was a short-cycle maintenance release. Version 5.1.2 is expected to follow a similar two week release cadence.

You can download WordPress 5.1.1 or visit Dashboard → Updates and click Update Now. Sites that support automatic background updates have already started to update automatically.

In addition to the security researcher mentioned above, thank you to everyone who contributed to WordPress 5.1.1:

Aaron Jorbin, Alex Concha, Andrea Fercia, Andy Fragen, Anton Vanyukov, Ben Bidner, bulletdigital, David Binovec, Dion Hulse, Felix Arntz, Garrett Hyder, Gary Pendergast, Ian Dunn, Jake Spurlock, Jb Audras, Jeremy Felt, Johan Falk, Jonathan Desrosiers, Luke Carbis, Mike Schroder, Milan Dinić, Mukesh Panchal, Paul Biron, Peter Wilson, Sergey Biryukov, and Weston Ruter.

WordPress 5.1 “Betty”

A Little Better Every Day

Version 5.1 of WordPress, named “Betty” in honour of acclaimed jazz vocalist Betty Carter, is available for download or update in your WordPress dashboard.

Following WordPress 5.0 — a major release which introduced the new block editor — 5.1 focuses on polish, in particular by improving the overall performance of the editor. In addition, this release paves the way for a better, faster, and more secure WordPress with some essential tools for site administrators and developers.

Site Health

With security and speed in mind, this release introduces WordPress’s first Site Health features. WordPress will start showing notices to administrators of sites that run long-outdated versions of PHP, which is the programming language that powers WordPress.

When you install new plugins, WordPress’s Site Health features will check them against the version of PHP you’re running. If the plugin requires a version that won’t work with your site, WordPress will keep you from installing that plugin.

Editor Performance

Introduced in WordPress 5.0, the new block editor continues to improve. Most significantly, WordPress 5.1 includes solid performance improvements within the editor. The editor should feel a little quicker to start, and typing should feel smoother.

Expect more performance improvements in the next couple of releases.


Developer Happiness

Multisite Metadata

5.1 introduces a new database table to store metadata associated with sites and allows for the storage of arbitrary site data relevant in a multisite / network context.

Cron API

The Cron API has been updated with new functions to assist with returning data and includes new filters for modifying cron storage. Other changes in behavior affect cron spawning on servers running FastCGI and PHP-FPM versions 7.0.16 and above.

New JS Build Processes

WordPress 5.1 features a new JavaScript build option, following the large reorganisation of code that started in the 5.0 release.

Other Developer Goodness

Miscellaneous improvements include:

  • Updates to values for the WP_DEBUG_LOG constant
  • New test config file constant in the test suite, new plugin action hooks
  • Short-circuit filters for wp_unique_post_slug(), WP_User_Query, and count_users()
  • A new human_readable_duration function
  • Improved taxonomy metabox sanitization
  • Limited LIKE support for meta keys when using WP_Meta_Query
  • A new “doing it wrong” notice when registering REST API endpoints

…and more!


The Squad

This release was led by Matt Mullenweg, along with Gary Pendergast as Senior Code Reshuffler and Poet. They received wonderful assistance from the following 561 contributors for this release, 231 of whom were making their first ever contribution! Pull up some Betty Carter on your music service of choice, and check out some of their profiles:

0x6f0, 1265578519, 1naveengiri, 360zen, aardrian, Aaron Jorbin, Abdullah Ramzan, Abhay Vishwakarma, Abhijit Rakas, Achal Jain, achbed, Adam Silverstein, Ajit Bohra, Alain Schlesser, aldavigdis, alejandroxlopez, Alex, Alex Shiels, Alexander Botteram, Alexandru Vornicescu, alexgso, All, allancole, Allen Snook, Alvaro Gois dos Santos, Ana Cirujano, Anantajit JG, Andrés, Andrea Fercia, Andrea Gandino, Andrea Middleton, andrei0x309, andreiglingeanu, Andrew Duthie, Andrew Lima, Andrew Nacin, Andrew Nevins, Andrew Ozz, Andrey Savchenko, Andy Fragen, Andy Meerwaldt, Angelika Reisiger, Antal Tettinger, antipole, Anton Timmermans, Antonio Villegas, antonioeatgoat, Anwer AR, Arun, Ashar Irfan, ashokrd2013, Ayesh Karunaratne, Ayub Adiputra, Barry Ceelen, Behzod Saidov, benhuberman, Benoit Chantre, benvaassen, Bhargav Mehta, bikecrazyy, Birgir Erlendsson, BjornW, Blair jersyer, blob, Blobfolio, bobbingwide, boblinthorst, Boone Gorges, Boro Sitnikovski, Brad Parbs, Bradley, bramheijmink, Brandon Kraft, Brandon Payton, Brent Swisher, Brian Richards, bridgetwillard, Brooke., bruceallen, Burhan Nasir, Bytes.co, Caleb Burks, Calin Don, campusboy, carolinegeven, ccismaru, chasewg, Chetan Prajapati, Chouby, ChriCo, chriscct7, Christopher Spires, claudiu, Clifford Paulick, Code Clinic, codegrau, coleh, conner_bw, Corey McKrill, croce, Csaba (LittleBigThings), Cyrus Collier, Daniel Bachhuber, Daniel James, Daniel Koskinen, Daniel Richards, Daniele Scasciafratte, danimalbrown, Danny Cooper, Danny de Haan, Darko A7, Darren Ethier (nerrad), Dave Pullig, David A. Kennedy, David Anderson, David Binovec, David Cramer, David Herrera, David Lingren, David Shanske, David Stone, dekervit, Denis Yanchevskiy, Dennis Snell, designsimply, dfangstrom, Dhanendran, Dharmesh Patel, Dhaval kasavala, Dhruvin, DiedeExterkate, Dilip Bheda, dingo_d, Dion Hulse, dipeshkakadiya, Dominik Schilling, Donncha O Caoimh, dontstealmyfish, Drew Jaynes, Drivingralle, drywallbmb, dschalk, dsifford, eamax, eArtboard, edo888, edocev, ElectricFeet, Ella Van Durpe, Eric Andrew Lewis, Eric Daams, Erich Munz, Erick Hitter, ericmeyer, etoledom, Evan Solomon, Evangelos Athanasiadis, ever, everyone, Faisal Alvi, Felipe Elia, Felix Arntz, Fernando Claussen, flipkeijzer, Florian TIAR, folio, FPCSJames, Frank Klein, frOM, fuchsws, fullyint, Gabriel Maldonado, Gareth, Garrett Hyder, Gary Jones, Gennady Kovshenin, Gerhard Potgieter, Girish Panchal, GM_Alex, gnif, graymouser, greg, Grzegorz (Greg) Ziółkowski, Guido, GutenDev, Hafiz Rahman, Hai@LiteSpeed, Hans-Christiaan Braun, Hardeep Asrani, Hardik Amipara, Harsh Patel, haruharuharuby, Heather Burns, Helen Hou-Sandi, Henry Wright, Herre Groen, hitendra, Hitendra Chopda, Ian Belanger, Ian Dunn, ibantxillo, Ignacio Cruz Moreno, Igor, Igor Benic, imath, ionvv, Irene Strikkers, isabel104, ishitaka, Ivan Mudrik, J.D. Grimes, Jack Reichert, Jacob Peattie, James Nylen, janak Kaneriya, janalwin, Janki Moradiya, janthiel, Jason Caldwell, javorszky, Jaydip Rami, Jayman Pandya, Jb Audras, Jeff Farthing, Jeffrey de Wit, Jeffrey Paul, Jennifer M. Dodd, Jenny, Jeremey, Jeremy Felt, Jeremy Herve, Jeremy Pry, Jeremy Scott, Jesper V Nielsen, Jesse Friedman, Jimmy Comack, Jip Moors, Jiri Hon, JJJ, joanrho, Job, Joe Bailey-Roberts, Joe Dolson, Joe Hoyle, Joe McGill, Joel James, Joen Asmussen, John Blackbourn, John Godley, johnalarcon, johnpgreen, johnschulz, Jonathan Champ, Jonathan Desrosiers, joneiseman, Jonny Harris, Joost de Valk, Jorge Costa, Joseph Scott, JoshuaWold, Joy, jpurdy647, jrdelarosa, jryancard, Juhi Patel, Julia Amosova, juliemoynat, Juliette Reinders Folmer, Junaid Ahmed, Justin Sainton, Justin Sternberg, Justin Tadlock, K.Adam White, kapteinbluf, keesiemeijer, Kelly Dwan, kelvink, khaihong, Kiran Potphode, Kite, kjellr, kkarpieszuk, kmeze, Knut Sparhell, konainm, Konstantin Obenland, Konstantinos Xenos, kristastevens, krutidugade, laghee, Laken Hafner, Lance Willett, laurelfulford, lbenicio, Leander Iversen, leemon, lenasterg, lisannekluitmans, lizkarkoski, Luca Grandicelli, LucasRolff, luciano, Luminus, Mário Valney, maartenleenders, macbookandrew, Maja Benke, Mako, mallorydxw-old, Manuel Augustin, manuel_84, Marc Nilius, marcelo2605, Marco Martins, marco.marsala, Marcus Kazmierczak, marcwieland95, Marius L. J., mariusvw, Mariyan Belchev, Mark Jaquith, Mathieu Sarrasin, mathieuhays, Matt Cromwell, Matt Gibbs, Matt Martz, Matthew Boynes, Matthew Riley MacPherson, mattyrob, mcmwebsol, Mel Choyce, mensmaximus, mermel, metalandcoffee, Micah Wood, Michael Nelson, Michiel Heijmans, Migrated to @sebastienserre, Miguel Fonseca, Miguel Torres, mihaiiceyro, mihdan, Mike Gillihan, Mike Jolley, Mike Schroder, Milan Dinić, Milan Ivanovic, Milana Cap, Milind More, mirkoschubert, Monika Rao, Monique Dubbelman, moto hachi ( mt8.biz ), mrmadhat, Muhammad Kashif, Mukesh Panchal, MultiformeIngegno, Muntasir Mahmud, munyagu, MyThemeShop, mzorz, nadim0988, nandorsky, Naoki Ohashi, Naoko Takano, nataliashitova, Nate Allen, Nathan Johnson, ndavison, Ned Zimmerman, Nextendweb, Nick Diego, Nick Halsey, Nick Momrik, Nick the Geek, Nicolas Figueira, Nicolas GUILLAUME, Nicolle Helgers, Nidhi Jain, Niels Lange, Nikhil Chavan, Nilambar Sharma, Noam Eppel, notnownikki, odyssey, Omar Reiss, Omkar Bhagat, on, others, Ov3rfly, Paal Joachim Romdahl, palmiak, panchen, parbaugh, Parham Ghaffarian, Pascal Birchler, Pascal Casier, Paul Bearne, Paul Biron, Paul Paradise, Paul Schreiber, Perdaan, Peter Putzer, Peter Wilson, Petter Walbø Johnsgård, Pierre Saïkali, Pieter Daalder, Piyush Patel, poena, Pramod Jodhani, Prashant Baldha, Pratik K. Yadav, Pratik K. Yadav, precies, Presskopp, Presslabs, PressTigers, programmin, Punit Patel, Purnendu Dash, qcmiao, Rachel Baker, Rachel Cherry, Rachel Peter, Rafsun Chowdhury, Rahul Prajapati, Raja Mohammed, Ramanan, Rami Yushuvaev, Ramiz Manked, ramonopoly, RavanH, redcastor, remyvv, rensw90, rhetorical, Riad Benguella, Rian Rietveld, Richard Tape, Ricky Lee Whittemore, Rinku Y, Rishi Shah, Robbie, robdxw, Robert Anderson, Robin Cornett, Robin van der Vliet, Ryan McCue, Ryan Paul, Ryan Welcher, ryotsun, Sébastien SERRE, Saša, sagarnasit, Sami Ahmed Siddiqui, Sami Keijonen, Samuel Wood (Otto), sarah semark, Sayed Taqui, Scott Lee, Scott Reilly, Sean Hayes, Sebastian Kurzynoswki, Sebastian Pisula, Sergey Biryukov, Shamim Hasan, Shane Eckert, Sharaz Shahid, Shashwat Mittal, Shawn Hooper, sherwood, Shital Marakana, Shiva Poudel, Simon Prosser, sjardo, skoldin, slilley, slushman, Sonja Leix, sonjanyc, Soren Wrede, spartank, spyderbytes, Stanimir Stoyanov, Stanko Metodiev, stazdotio, Stephen Edgar, Stephen Harris, stevenlinx, Storm Rockwell, Stoyan Kostadinov, strategio, Subrata Sarkar, Sultan Nasir Uddin, swift, Takahashi Fumiki, Takayuki Miyauchi, Tammie Lister, Taylor Lovett, teddytime, Terri Ann, terwdan, tharsheblows, the, ThemeZee, Thomas Patrick Levy, Thomas Vitale, thomaswm, Thorsten Frommen, Thrijith Thankachan, Tiago Hillebrandt, tigertech, Tim Havinga, Tim Hengeveld, Timmy Crawford, Timothy Jacobs, titodevera, Tkama, to, Tobias Zimpel, Tom J Nowell, TomHarrigan, Tommy, tonybogdanov, Tor-Bjorn Fjellner, TorontoDigits, Toshihiro Kanai, Towhidul Islam, transl8or, Ulrich, upadalavipul, Usman Khalid, Utsav tilava, uttam007, Vaishali Panchal, Valérie Galassi, valchovski, vishaldodiya, vnsavage, voneff, warmlaundry, wbrubaker, Weston Ruter, who, Will Kwon, William Earnhardt, williampatton, wpcs, wpzinc, xhezairi, Yahil Madakiya, Yoav Farhi, Yui, YuriV, Zane Matthew, and zebulan.

Finally, thanks to all the community translators who worked on WordPress 5.1. Their efforts bring WordPress 5.1 fully translated to 34 languages at release time, with more on the way.

If you want to follow along or help out, check out Make WordPress and our core development blog.

Thanks for choosing WordPress!

WordPress 5.1 RC2

The second release candidate for WordPress 5.1 is now available!

WordPress 5.1 will be released on Thursday, February 21, but we need your help to get there—if you haven’t tried 5.1 yet, now is the time!

There are two ways to test the WordPress 5.1 release candidate: try the WordPress Beta Tester plugin (you’ll want to select the “bleeding edge nightlies” option), or you can download the release candidate here (zip).

For details about what to expect in WordPress 5.1, please see the first release candidate post.

This release includes the final About page design. It also contains fixes for:

  • New WordPress installs not setting the database table prefix correctly (#46220).
  • A HTTP error occurring when opening browser developer tools (#46218).
  • The legacy media dialog having incorrect pagination link styling (#41858).
  • The comment form not appearing when clicking “Reply” on comments loaded via Ajax (#46260).

Plugin and Theme Developers

Please test your plugins and themes against WordPress 5.1 and update the Tested up to version in the readme to 5.1. If you find compatibility problems, please be sure to post to the support forums so we can figure those out before the final release.

The WordPress 5.1 Field Guide has also been published, which goes into the details of the major changes.

How to Help

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.


WordPress Five Point One:
It’s so slick, shiny, and new.
Lands in a few days!

WordPress 5.1 Release Candidate

The first release candidate for WordPress 5.1 is now available!

This is an important milestone, as the release date for WordPress 5.1 draws near. “Release Candidate” means that the new version is ready for release, but with millions of users and thousands of plugins and themes, it’s possible something was missed. WordPress 5.1 is scheduled to be released on Thursday, February 21, but we need your help to get there—if you haven’t tried 5.1 yet, now is the time!

There are two ways to test the WordPress 5.1 release candidate: try the WordPress Beta Tester plugin (you’ll want to select the “bleeding edge nightlies” option), or you can download the release candidate here (zip).

What’s in WordPress 5.1?

Inspired by Archie Bell & The Drells, WordPress’s theme for 2019 is to “tighten up”, and WordPress 5.1 focussed on exactly that.

With security and speed in mind, this release introduces WordPress’s first Site Health features. WordPress will start showing notices to administrators of sites that run long-outdated versions of PHP, which is the programming language that powers WordPress.

Furthermore, when installing new plugins, WordPress’s Site Health features will check whether a plugin requires a version of PHP incompatible with your site. If so, WordPress will prevent you from installing that plugin.

The new block editor has kept improving since its introduction in WordPress 5.0. Most significantly, WordPress 5.1 includes solid performance improvements within the editor. The editor should feel a little quicker to start, and typing should feel smoother. There are more features and performance improvements planned in upcoming WordPress releases, you can check them out in the Gutenberg plugin.

Plugin and Theme Developers

Please test your plugins and themes against WordPress 5.1 and update the Tested up to version in the readme to 5.1. If you find compatibility problems, please be sure to post to the support forums so we can figure those out before the final release.

The WordPress 5.1 Field Guide has also been published, which goes into the details of the major changes.

How to Help

Do you speak a language other than English? Help us translate WordPress into more than 100 languages! This release also marks the hard string freeze point of the 5.1 release schedule.

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.


This is my release
candidate. There are many
like it. This is mine.

..

WordPress 5.1 Beta 3

WordPress 5.1 Beta 3 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site to play with the new version.

There are two ways to test the WordPress 5.1 beta: try the WordPress Beta Testerplugin (you’ll want to select the “bleeding edge nightlies” option), or you can download the beta here (zip).

WordPress 5.1 is slated for release on February 21, and we need your help to get there!

Site Health Check

One of the features originally slated for WordPress 5.1—the PHP error protection handler—will target WordPress 5.2 instead. Some potential security issues were discovered in the implementation: rather than risk releasing insecure code, the team decided to pull it out of WordPress 5.1. The work in #46130 is showing good progress towards addressing the security concerns, if you’d like to follow development progress on this feature.

Additional Changes

A handful of smaller bugs have also been fixed in this release, including:

  • TinyMCE has been upgraded to version 4.9.2 (#46094).
  • The block editor has had a couple of bugs fixed (#46137).
  • A few differences in behaviour between the classic block and the classic editor have been fixed (#46062, #46071, #46085).
  • When adding rel attributes to links, ensure the value isn’t empty (#45352), and that it works as expected with customizer changesets (#45292).

Developer Notes

WordPress 5.1 has many changes aimed at polishing the developer experience. To keep you informed, we publish developers’ notes on the Make WordPress Core blog throughout the release cycle. Subscribe to the Make WordPress Core blog for updates over the coming weeks, detailing other changes in 5.1 that you should be aware of.

How to Help

Do you speak a language other than English? Help us translate WordPress into more than 100 languages! The beta 2 release also marks the soft string freeze point of the 5.1 release schedule.

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.


In just a few weeks
WordPress Five-One will be here.
Your testing helps us!

WordPress 5.1 Beta 2

WordPress 5.1 Beta 2 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site to play with the new version.

There are two ways to test the WordPress 5.1 beta: try the WordPress Beta Tester plugin (you’ll want to select the “bleeding edge nightlies” option), or you can download the beta here (zip).

WordPress 5.1 is slated for release on February 21, and we need your help to get there!

Over 110 tickets have been closed since beta 1, many of which are documentation and testing suite improvements. Here are the major changes and bug fixes:

  • Several refinements and bug fixes related to the Site Health project have been made.
  • The pre_render_block and render_block_data filters have been introduced allowing plugins to override block attribute values (#45451, dev note coming soon).
  • get_template_part() will now return a value indicating whether a template file was found and loaded (#40969).
  • A notice will now be triggered when developers incorrectly register REST API endpoints (related dev note).
  • Bulk editing posts will no longer unintentionally change a post’s post format (#44914)
  • Twemoji has been updated to the latest version, 11.2.0 (#45133).
  • A bug preventing the Custom Fields meta box from being enabled has been fixed (#46028).
  • The treatment of orderby values for post__in, post_parent__in, and post_name__in has been standardized (#38034).
  • When updating language packs, old language packs are now correctly deleted to avoid filling up disk space (#45468).

Developer Notes

WordPress 5.1 has many changes aimed at polishing the developer experience. To keep you informed, we publish developers notes on the Make WordPress Core blog throughout the release cycle. Subscribe to the Make WordPress Core blog for updates over the coming weeks, detailing other changes in 5.1 that you should be aware of.

How to Help

Do you speak a language other than English? Help us translate WordPress into more than 100 languages! The beta 2 release als marks the soft string freeze point of the 5.1 release schedule.

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.


Do you enjoy bugs?
I don’t. So, we fixed them all.
Well, not all. But close.

WordPress 5.1 Beta 1

WordPress 5.1 Beta 1 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site to play with the new version.

There are two ways to test the WordPress 5.1 beta: try the WordPress Beta Tester plugin (you’ll want to select the “bleeding edge nightlies” option), or you can download the beta here (zip).

WordPress 5.1 is slated for release on February 21, and we need your help to get there. Here are some of the big items to test so we can find as many bugs as possible in the coming weeks.

Site Health Check

Site Health Check is an ongoing project aimed at improving the stability and performance of the entire WordPress ecosystem. The first phase of this project is included in WordPress 5.1. For the first time, WordPress will catch and pause the problem code, so you can log in to your Dashboard and see what the problem is (#44458). Before, you’d have to FTP in to your files or get in touch with your host.

Additionally, in April 2019, WordPress’ will increase its minimum supported PHP version to 5.6. To help you check if you’re prepared for this change, WordPress 5.1 will show you a warning and help you upgrade your version of PHP, if necessary.

For Developers

  • The Cron system can now be more easily replaced with a custom cron handler (#32656).
  • When starting cron under PHP-FPM, the connection will return a response immediately, even for long running cron jobs (dev note).
  • WP_DEBUG_LOG can be set to a custom log location (#18391).
  • Introduced the wp_blogmeta table (#37923).
  • Added LIKE support to meta_key comparisons in WP_Meta_Query (#42409).

There have been over 360 tickets closed in WordPress 5.1, with numerous small bug fixes and improvements to help smooth your WordPress experience.

Keep your eyes on the Make WordPress Core blog for more developer notes (which are assigned the dev-notes tag) in the coming weeks detailing other changes in 5.1 that you should be aware of.

How to Help

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.


Miss my haiku?
I will have plenty for you
in the coming weeks.

WordPress 5.0.3 Maintenance Release

WordPress 5.0.3 is now available!

5.0.3 is a maintenance release that includes 37 bug fixes and 7 performance updates. The focus of this release was fine-tuning the new block editor, and fixing any major bugs or regressions.

Here are a few of the highlights:

For a full list of changes, please consult the list of tickets on Trac, changelog, or read a more technical summary on the Make WordPress Core blog.

You can download WordPress 5.0.3 or visit Dashboard → Updates on your site and click Update Now. Sites that support automatic background updates have already started to update automatically.

Thank you to everyone who contributed to WordPress 5.0.3:

Aaron Jorbin, Alex Shiels, allancole, Andrea Fercia, Andrew Nevins, Andrew Ozz, Birgir Erlendsson (birgire), bobbingwide, Csaba (LittleBigThings), David Binovec, David Herrera, Dominik Schilling (ocean90), Felix Arntz, Gary Pendergast, Gerhard Potgieter, Grzegorz (Greg) Ziółkowski, Jb Audras, Job, Joe McGill, Joen Asmussen, John Blackbourn, Jonathan Desrosiers, kjellr, laurelfulford, Marcus Kazmierczak, Milan Dinić, Muntasir Mahmud, Nick Halsey, panchen, Pascal Birchler, Ramanan, Riad Benguella, Ricky Lee Whittemore, Sergey Biryukov, Weston Ruter, and William Earnhardt.

WordPress 5.0.2 Maintenance Release

WordPress 5.0.2 is now available!

5.0.2 is a maintenance release that addresses 73 bugs. The primary focus of this release was performance improvements in the block editor: the cumulated performance gains make it 330% faster for a post with 200 blocks.

Here are a few of the additional highlights:

For a full list of changes, please consult the list of tickets on Trac or the changelog.

You can download WordPress 5.0.2 or visit Dashboard → Updates and click Update Now. Sites that support automatic background updates have already started to update automatically.

Thank you to everyone who contributed to WordPress 5.0.2:

Alexander Babaev, Alex Kirk, allancole, Andrea Fercia, Andrew Ozz, Anton Timmermans, David Binovec, David Trower, Dominik Schilling, Eduardo Pittol, Gary Pendergast, Greg Raven, gziolo, herregroen, iCaleb, Jb Audras, Joen Asmussen, John Blackbourn, Jonathan Desrosiers, khleomix, kjellr, laurelfulford, Jeff Paul, mihaivalentin, Milan Dinić, Muntasir Mahmud, Pascal Birchler, Pratik K. Yadav, Riad Benguella, Rich Tabor, strategio, Subrata Sarkar, tmatsuur, TorontoDigits, Ulrich, Vaishali Panchal, volodymyrkolesnykov, Weston Ruter, Yui, ze3kr, and のむらけい.

WordPress 5.0.1 Security Release

WordPress 5.0.1 is now available. This is a security release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

Plugin authors are encouraged to read the 5.0.1 developer notes for information on backwards-compatibility.

WordPress versions 5.0 and earlier are affected by the following bugs, which are fixed in version 5.0.1. Updated versions of WordPress 4.9 and older releases are also available, for users who have not yet updated to 5.0.

  • Karim El Ouerghemmi discovered that authors could alter meta data to delete files that they weren’t authorized to.
  • Simon Scannell of RIPS Technologies discovered that authors could create posts of unauthorized post types with specially crafted input.
  • Sam Thomas discovered that contributors could craft meta data in a way that resulted in PHP object injection.
  • Tim Coen discovered that contributors could edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability.
  • Tim Coen also discovered that specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances. WordPress itself was not affected, but plugins could be in some situations.
  • Team Yoast discovered that the user activation screen could be indexed by search engines in some uncommon configurations, leading to exposure of email addresses, and in some rare cases, default generated passwords.
  • Tim Coen and Slavco discovered that authors on Apache-hosted sites could upload specifically crafted files that bypass MIME verification, leading to a cross-site scripting vulnerability.

Thank you to all of the reporters for privately disclosing the vulnerabilities, which gave us time to fix them before WordPress sites could be attacked.

Download WordPress 5.0.1, or venture over to Dashboard → Updates and click Update Now. Sites that support automatic background updates are already beginning to update automatically.

In addition to the security researchers mentioned above, thank you to everyone who contributed to WordPress 5.0.1:

Alex Shiels, Alex Concha, Anton Timmermans, Andrew Ozz, Aaron Campbell, Andrea Middleton, Ben Bidner, Barry Abrahamson, Chris Christoff, David Newman, Demitrious Kelly, Dion Hulse, Hannah Notess, Gary PendergastHerre Groen, Ian Dunn, Jeremy FeltJoe McGill, John James Jacoby, Jonathan DesrosiersJosepha Haden, Joost de Valk, Mo Jangda, Nick Daugherty, Peter Wilson, Pascal Birchler, Sergey Biryukov, and Valentyn Pylypchuk.