WordPress 5.7.1 Security and Maintenance Release
Security updates
Two security issues affect WordPress versions between 4.7 and 5.7. If you haven’t yet updated to 5.7, all WordPress versions since 4.7 have also been updated to fix the following security issues:
- thank you SonarSource for reporting an XXE vulnerability within the media library affecting PHP 8
- thanks Mikael Korpela for reporting a data exposure vulnerability within the latest posts block and REST API
Thank you to all of the reporters for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked.
Props to Adam Zielinski, Pascal Birchler, Peter Wilson, Juliette Reinders Folmer, Alex Concha, Ehtisham Siddiqui, Timothy Jacobs and the WordPress security team for their work on these issues.
Maintenance updates
WordPress 5.7.1 also fixes 26 regressions introduced in version 5.7:
Fixed Core tickets from Trac:
- 52787 – Empty array for non-single post meta breaks post save through REST API
- 52822 – PHPMailer change in WordPress 5.7 breaks working sites
- 52670 – Admin pointer arrow border color darker than pointer content
- 52713 – Reverse logic in wp_robots function and filter
- 52743 – Hardcoded SVG image URLs on WP 5.7 About screen
- 52750 – WP 5.7 colors inconsistent in get_option( 'admin_color' ) since color contrast changes
- 52751 – UI issue on Privacy Policy Guide page
- 52756 – Duplicate video URLs on WP 5.7 About screen
- 52758 – 5.7 About Page: Image comparison doesn’t work on first load on some browsers
- 52760 – Color not accessibility for AA
- 52764 – Classic editor adding empty tags in some media embed situations
- 52768 – WordPress post URL oEmbed rendering blocked by iframe lazy-loading
- 52783 – Health Check mis-reports https functionality in certain situations
- 52789 – Gallery layout block adds all media items when changing an image
- 52816 – Post metabox style Twenty Seventeen has a border
- 52826 – New wp_getimagesize() causing unexpected failures
- 52834 – Reset password screen: improve buttons layout for better i18n
- 52891 – Privacy: print screen reader text message
- 52894 – The wp_sanitize_script_attributes function added in version 5.7 does not escape attributes in some cases
- 52932 – Rest Api enum validation does not work correctly WordPress 5.7
- 52961 – Add ‘object-position’ as an allowed CSS attribute
- 52981 – Twenty Twenty-One: Update IE specific editor stylesheet
Fixed Block editor issues from GitHub:
- PR30218 – Core Data: Use getAuthors for showCombobox
- PR30524 – Editor: Revert (#27717) save editors value on change
- PR30122 – Gallery: Set addToGallery prop to false when images don’t have IDs
- PR29809 – Revert: Show empty paragraphs on fronted
- PR29860 – Try: Fix gallery item clicking
- PR29920 – Fix sibling block inserter displaying at end of block list
- PR30125 – Block Editor: Ensure that uncategorized block types are properly handled
- PR30243 – Add object-position to allowed inline style attributes list
The 5.7.1 release was led by @peterwilsoncc and @audrasjb.
How to install
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2021-3ebc6ab03a
Please login to add feedback.
This update has been submitted for testing by remi.
This update's test gating status has been changed to 'ignored'.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'ignored'.
This update has been pushed to testing.
This update can be pushed to stable now if the maintainer wishes
This update has been submitted for stable by bodhi.
This update has been pushed to stable.