WordPress Managed - Package updates
Pinned
WordPress (Managed)
-
[2.20.2]
- Update WordPress to 5.8.3
- Release announcement
- Props to Karim El Ouerghemmi and Simon Scannell of SonarSource for disclosing an issue with stored XSS through post slugs.
- Props to Simon Scannell of SonarSource for reporting an issue with Object injection in some multisite installations.
- Props to ngocnb and khuyenn from GiaoHangTietKiem JSC for working with Trend Micro Zero Day Initiative on reporting a SQL injection vulnerability in WP_Query.
- Props to Ben Bidner from the WordPress security team for reporting a SQL injection vulnerability in WP_Meta_Query (only relevant to versions 4.1-5.8).
-
[2.24.0]
- Update WordPress to 6.0.1
- Release announcement
- Email Display Name support . Please note that you have to set any custom mail from display name in the Email section.
-
[2.24.1]
- Update WordPress to 6.0.2
- Release announcement
- #56112 – Allow remote pattern registration in theme.json when core patterns are disabled
- #56184 – register_block_type does not recognise “ancestor” block setting
- #56210 – What’s new page design issue in core wordpress
- #56225 –
@since 6.1.0
appearing in 6.0.1
-
[2.24.3]
- Update WordPress to 6.0.3
- Release announcement
- Stored XSS via wp-mail.php (post by email) – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
- Open redirect in
wp_nonce_ays
– devrayn - Sender’s email address is exposed in wp-mail.php – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
- Media Library – Reflected XSS via SQLi – Ben Bidner from the WordPress security team and Marc Montpas from Automattic independently discovered this issue
-
[2.25.0]
- Update WordPress to 6.1
- Release announcement
- Twenty Twenty-Three: A fresh default theme with 10 distinct style variations
- New templates for an improved creator experience
- Design tools for more consistency and control
- Manage menus with ease
- Cleaner layouts and document settings visualization
- One-click lock setting for all inner blocks
- Improved block placeholders
- Compose richer lists and quotes with inner blocks
- More Responsive text with fluid typography
- Add starter patterns to any post type
- A streamlined style system
-
[3.0.1]
- Update WordPress to 6.1.1
- Release announcement
- Post Featured Image: Fix height/scale overwriting border inline styles (#44213)
- Fluid typography: add font size constraints (#44993)
- Allow direct selection of nested Page List block by avoiding dual rendering within block (#45143)
- Fix popover deprecations (#45195)
- Components: Refactor ColorPalette tests to @testing-library/react (#44108)
- Convert the ColorPalette component to TypeScript (#44632)
-
[3.1.0]
- Update WordPress to 6.2
- Release announcement
- Meet the reimagined Site Editor
- Manage your menu in more ways with the Navigation block
- Discover a smoother experience for the Block Inserter
- Find the controls you want when you need them
- Build faster with headers and footers for block themes
- Explore Openverse media right from the Editor
- Focus on writing with Distraction Free mode
- Experience the Site Editor, now out of beta
- Meet the new Style Book
- Copy and paste styles
- Custom CSS
- Sticky positioning
- Importing widgets
- Local fonts in themes
-
[3.2.1]
- Update WordPress to 6.2.1
- Announcement
- Block themes parsing shortcodes in user generated data; thanks to Liam Gladdy of WP Engine for reporting this issue
- A CSRF issue updating attachment thumbnails; reported by John Blackbourn of the WordPress security team
- A flaw allowing XSS via open embed auto discovery; reported independently by Jakub Żoczek of Securitum and during a third party security audit
- Bypassing of KSES sanitization in block attributes for low privileged users; discovered during a third party security audit.
- A path traversal issue via translation files; reported independently by Ramuel Gall and during a third party security audit.