This security and maintenance release features 23 fixes and enhancements. Plus, it adds a number of security fixes—see the list below.
These bugs affect WordPress versions 5.4.1 and earlier; version 5.4.2 fixes them, so you’ll want to upgrade.
If you haven’t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the bugs for you.
WordPress versions 5.4 and earlier are affected by the following bugs, which are fixed in version 5.4.2. If you haven’t yet updated to 5.4, there are also updated versions of 5.3 and earlier that fix the security issues.
Props to Ben Bidner of the WordPress Security Team for finding an open redirect issue in wp_validate_redirect().
Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme uploads.
Over the past week, I’ve been thinking a lot about George Floyd, Breonna Taylor, and Ahmaud Arbery. I have been thinking about white supremacy, the injustice that Black women and men are standing up against across the world, and all the injustices I can’t know, and don’t see.
The WordPress mission is to democratize publishing, and to me, that has always meant more than the freedom to express yourself. Democratizing publishing means giving voices to the voiceless and amplifying those speaking out against injustice. It means learning things that we otherwise wouldn’t. To me, it means that every voice has the ability to be heard, regardless of race, wealth, power, and opportunity. WordPress is a portal to commerce; it is a canvas for identity, and a catalyst for change.
While WordPress as an open source project may not be capable of refactoring unjust judicial systems or overwriting structural inequality, this does not mean that we, the WordPress community, are powerless. WordPress can’t dismantle white supremacy, but the WordPress community can invest in underrepresented groups (whose experiences cannot be substituted for) and hire them equitably. WordPress can’t eradicate prejudice, but the WordPress community can hold space for marginalized voices in our community.
There is a lot of racial, societal, and systemic injustice to fight. At times, change may seem impossible, and certainly, it’s been too slow. But I know in my heart that the WordPress community is capable of changing the world.
If you would like to learn more about how to make a difference in your own community, here are a few resources I’ve gathered from WordPressers just like you.
May was an action-packed month for WordPress! WordPress organizers are increasingly moving WordCamps online, and contributors are taking big steps towards Full Site Editing with Gutenberg. To learn more and get all the latest updates, read on.
Gutenberg 8.1 and 8.2
Gutenberg 8.1 was released on May 13, followed quickly by Gutenberg 8.2 on May 27.
8.1 added new block pattern features making it easier to insert desired patterns, along with a new pattern. It also added a button to collapsed block actions for copying the selected block, which will help touchscreen users or users who don’t use keyboard shortcuts.
8.2 introduced block pattern categories and a `viewportWidth` property that will be particularly useful for large block patterns. There is also a new content alignment feature, and enhancements to improve the writing experience.
Both releases include a number of new APIs, enhancements, bug fixes, experiments, new documentation, improvement to code quality, and more! To learn the latest, visit the announcement posts for Gutenberg 8.1 and Gutenberg 8.2.
Gutenberg Phase 2: Steps Towards Full Site Editing
Contributors are currently working hard on Phase 2 of Gutenberg! Where Phase 1 introduced the new block editor with WordPress 5.0, Phase 2 sees more customization and includes one of the biggest Gutenberg projects: Full Site Editing (FSE). At the moment, work on WordPress 5.5 has been initiated and contributors decided to include basic functionality for Full Site Editing in this release. FSE hopes to streamline the site creation and building process in WordPress using a block-based approach. There’s a lot of conversation and new information about FSE, so communication around the project is very important. On May 28th, a conversation was held in the #core-customize channel to discuss FSE and the future of the Customizer. To help everyone track the latest information, this post summarizes ways to keep up with FSE.
Representatives of the Themes Review Team have decided to update their team name to “Themes Team.” This decision reflects changes that the block editor brings to the landscape of themes with the Full Site Editing project. The team has always been involved in projects beyond reviewing WordPress.org themes and lately, the team has been contributing more to themes in general — including open-source packages, contributions to Full Site Editing, the Twenty Twenty theme, and more. You can read more about the name change in the team’s meeting notes.
On May 13th, BuddyPress 6.0.0, known as “iovine’s,” was released. This release includes two new blocks for the WordPress Editor: Members and Groups. It also saw the completion of the BP REST API, adding the six remaining endpoints, and the move or local avatar management to the Members component. Beyond that, 6.0.0 includes more than 80 changes, made possible by 42 contributors.
WordPress Meetup organizers in Spain joined hands to organize WordCamp Spain online from May 6 to 9, which proved to be a huge success. The event had more than 5,500 attendees, 60 speakers, and 16 sponsors. Over 200 people from around the world participated in the Contributor Day. Matt Mullenweg hosted an AMA for the participants, facilitated by Mattias Ventura’s on-the-spot Spanish translation.
The WordCamp Asia team has published a call for organizers for the January 2021 event — the call will close on June 8.
PHP and core version checks are coming into WordPress. This feature will prevent end-users from installing or activating a theme that is incompatible with their current version of PHP or WordPress. The change that has already been merged to core is slated to land in WordPress 5.5.
April continued to be a challenging time for the WordPress community, with many under stay-at-home recommendations. However, it was also an exciting month in which we created new ways to connect with and inspire each other! This month, amazing contributors moved more WordCamps online and shipped new releases for WordPress and Gutenberg. For the latest, read on.
It was another exciting month for Gutenberg, with the release of 7.9 and 8.0! Version 7.9 brought new block design tools, three new patterns, and improved block markup. Gutenberg 8.0 continued to refine the new block patterns feature, with additional options for inline formatting, and extending the functionality of the Code Editor. In addition to these new features, both releases included new enhancements and APIs, along with a number of bug fixes, performance improvements, some experiments, and more! You can read all the details about the latest Gutenberg releases in the announcement posts for 7.9 and 8.0.
BuddyPress 6.0.0-beta2 was released for testing in mid-April, leading to the BuddyPress 6.0.0 Release Candidate, announced on April 29. This is an important step before the final release of BuddyPress 6.0.0, which is slated for Thursday, May 14. Changes and new features in this release include moving the profile photo and user cover image under the BP Members component, and a new BP Rest API. Additionally, this release will introduce the first round of BuddyPress Blocks! Last, but not least, BuddyPress 6.0.0 will require at least PHP 5.6 and WordPress 4.8.
WordCamp US will take place online due to the COVID-19 pandemic. The event still runs from October 27-29, 2020, and will be free to anyone who wishes to attend. The team plans to offer what WCUS has historically brought to the community in person: sessions and workshops, Contributor Day, a hallway track, and of course, State of the Word.
Last month, WordCamp Europe decided to postpone its Porto event to 2021. This April, the WCEU organizing team announced that the 2020 WordCamp will be online! WordCamp Europe 2020 Online will take place from June 4-6, 2020, and tickets will be free. There will be a virtual Contributor Day on June 4, and then two half days of live-streamed talks and workshops. To participate, get your free ticket here.
This security and maintenance release features 17 bug fixes in addition to 7 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.
WordPress 5.4.1 is a short-cycle security and maintenance release. The next major release will be version 5.5.
You can download WordPress 5.4.1 by downloading from WordPress.org, or visit your Dashboard → Updates and click Update Now.
If you have sites that support automatic background updates, they’ve already started the update process.
Seven security issues affect WordPress versions 5.4 and earlier. If you haven’t yet updated to 5.4, all WordPress versions since 3.7 have also been updated to fix the following security issues:
Props to Muaz Bin Abdus Sattar and Jannes who both independently reported an issue where password reset tokens were not properly invalidated
Props to ka1n4t for finding an issue where certain private posts can be viewed unauthenticated
Props to Evan Ricafort for discovering an XSS issue in the Customizer
Props to Ben Bidner from the WordPress Security Team who discovered an XSS issue in the search block
Props to Nick Daugherty from WordPress VIP / WordPress Security Team who discovered an XSS issue in wp-object-cache
Props to Ronnie Goodrich (Kahoots) and Jason Medeiros who independently reported an XSS issue in file uploads.
Props to Weston Ruter for fixing a stored XSS vulnerability in the WordPress customizer.
Additionally, an authenticated XSS issue in the block editor was discovered by Nguyen The Duc (ducnt) in WordPress 5.4 RC1 and RC2. It was fixed in 5.4 RC5. We wanted to be sure to give credit and thank them for all of their work in making WordPress more secure.
You’ve probably heard that WordPress is open source software, and may know that it’s created and run by volunteers. Enthusiasts share many examples of how WordPress has changed people’s lives for the better. In this monthly series, we share some of those lesser-known, amazing stories.
Computer science in the nineties
Mario has been hooked on computers ever since he got his first one in 1996. He started with digging into MS-DOS and Windows 3.1 first and learned tons by trial and error. Following that adventure, Mario built his first HTML site in 1999. He found development so exciting that he spent day and night learning QBasic and started working at the local PC game club. Mario got involved with several other things related to website administration (translating security bulletins, setting up simple sites, etc) and soon found the technology field was full of activities he really enjoyed.
The Corporate Lifestyle
Mario started studying programming including an intensive high-level course for C#, Java development, and software engineering, and eventually got a job in a corporate environment. He soon became a team lead there, managing all the planning and paperwork for their projects.
But he continued freelancing on the side. He grew his own network of technical experts through attending, volunteering at, and organizing conferences. He also ran a technical forum and regularly spoke at universities and enterprise companies.
Remote Working and Business Opportunity
The combination of a high workload and a daily three-hour-long commute made Mario’s life difficult. Many of his friends were still studying, traveling or unemployed. The blissful and calm lives they lived seemed like a fairy tale to him. And even while both his managers and his clients were abroad, he was unable to obtain permission to work remotely.
So Mario decided to leave his job and start freelancing full time. But he found he faced a massive challenge.
He discovered Java projects were pretty large and required an established team of people working together in an office. All job opportunities were on-site, and some even required relocation abroad. Certified Java programmers weren’t being hired on a remote basis.
As Mario had some PHP experience from previous jobs, he used this to start his freelance career. For his projects, he used both plain PHP and PHP frameworks like CakePHP and CodeIgniter.
For a while, Mario accepted work using commonly known platforms including Joomla, Drupal, and WordPress. In addition, he worked on PHP, Java, Python and some C# projects for a couple of years, after which he decided to switch to WordPress completely.
One of his projects involved a technically challenging charity backed by several international organizations. Unexpected shortages in the team put him in the technical lead position. As a result, Mario found himself planning the next phases, meeting with the client regularly, and renegotiating the terms. The team completed the project successfully, and after the launch, a TV campaign led millions of visitors to the website.
As a result of the successful launch, this client invited Mario to participate in more WordPress projects, including building a custom framework.
“I wasn’t that acquainted with WordPress back then. For me, a conventional person trained in architectural design patterns and best practices, WordPress seemed like an eccentric young hipster somewhere on the line between insane and genius at the same time. I had to spend a couple of months learning WordPress from the inside out.”
As his interest in WordPress grew, Mario stopped delivering other custom platforms, and converted clients to WordPress.
For Mario, one of the key selling points of WordPress was the international openness. He had previously been involved with other open source communities, some of which were US-focused. He felt they were more reliant on meeting people in person. With events only taking place in the US, this made building relationships much harder for people living in other countries.
While the WordPress project started out in the US, the WordPress community quickly globalized. Dozens of WordCamps and hundreds of Meetup events take place around the globe every year. All of these events bring a wide variety of people sharing their enthusiasm for WordPress together.
For Mario, the birth of WordCamp Europe was something magical. The fact that hundreds, and later on thousands, of people from all over the world gathered around the topic of WordPress speaks for itself. Mario has been involved with organizing WordCamp Europe twice (in 2014 and 2015).
“There’s nothing like meeting WordPress enthusiasts and professionals from more than 50 countries brainstorming and working together at a WordCamp. You simply have to be there to understand how powerful it all is.”
Growing businesses and teams
A key WordPress benefit is its popularity – an ever growing project currently powering more than 35% of the Internet . It’s popular enough to be a de facto standard for websites, platforms, e-commerce and blogs.
WordPress has a low barrier to entry. You can achieve a lot without being an expert, meaning most people can start gaining experience without having to spend years learning how to code. That also makes it easier to build businesses and teams.
“Being able to use a tool that is user-friendly, not overly complicated and easily extensible makes introducing it to team members faster and easier. It requires less time for adjustment, and as a result makes a team stronger and faster. The fact that this tool is cost-effective also allows more startups to enter the market. It requires less time and investments to launch an MVP. This boosts the entire ecosystem.”
Mario also introduced WordPress to children and young people. He taught them how to use WordPress as a tool for homework and class assignments. By using WordPress, they were able to learn the basics of designing themes, developing plugins, marketing statistics, social media, copywriting, and so much more. This approachable introduction to the software meant technical skills were not needed.
He was also part of a team of volunteers who helped a group of young people living at a foster home struggling to provide for themselves. The team taught the basic digital literacy skills necessary in the modern workplace and potentially pay for their rent and basic needs. This included working with Microsoft Word, Excel and WordPress, as well as some basic design and marketing skills.
“When you look at that from another perspective, a platform that could save lives – literally – and change the world for better is worth contributing to, in any possible manner.”
Contributing to the WordPress community
From the core team to supporting and organizing WordCamps, Mario has long been an active contributor to the global WordPress project. He is passionate about the connections fostered by people who are involved in building both the WordPress software and the community around it.
“The WordPress community consists of people of all race and color, living all around the world, working as teachers, developers, bloggers, designers, business owners. Let’s work together to help each other. Let’s stick together and show the world WordPress can help make it a better place.”