WordPress security release, and 4.5 development kicks off
It was the first truly busy day in WordPress core land since the release of WordPress 4.4. Two big things happened:
A maintenance and security update was released in WordPress 4.4.1, and the security component affected all versions back that can be auto-updated, to 3.7.
WordPress 4.5 kicked off with the first meeting to discuss some potential new features and areas of focus.
4.4.1 Release
First, the security update. There was one security issue, reported by an independent researcher whom goes by Crtc4l and is from the Philippines. The vector was an XSS vulnerability within the usage of WP_Error for various theme checks that have been in place for some time. The vulnerability does require passing additional capability checks (that I’m not well versed enough to identify), and it doesn’t seem likely to have been in mass use, if it was being used to exploit sites at all.
The maintenance component of the release fixed 52 bugs and of course Gary Pendergast used it as the right time to update Emoji (enabling “diverse Emoji”). Aaron Jorbin led the minor update and a lot of people contributed, which is really cool for a non-major release.
WordPress 4.5 underway
WordPress 4.5 is also officially underway, and there was a meeting today to discuss potential feature plugins and focus areas. The release is being lead by Mike Schroder, and he announced that Adam Silverstein will serve as a deputy lead, and Mel Choyce as a design deputy lead.
A number of Features as Plugins are in development, and those will be discussed in more detail next Tuesday. A few potential customizer features were discussed today, including resizing customizer panes and the ability to add content drafts when creating menus. There was also discussion around revamping the publish metabox, addressing mixed content issues (http warnings on https sites) once and for all, and continuing efforts with responsive images.
There is also a wishlist thread, like was done in 4.4, where many people piped up with what they want to see. It’s a lot to wade through, but there are some good ideas there.
Some of my favorites / popular choices:
- Cropping images only on demand
- JavaScript actions and filters
- The fields API
- Shiny Updates part 2
- Toolbar experiments
- Shortcake shortcode UI
- A notifications API!
Keep in mind this post means nothing, and nothing talked about today or in the above list is even close to guaranteed. But it’s a start! WordPress 4.5 will move quick, and the planned release date is April 12th, which means feature plugins will need to be merged in early February. That’s very soon, and why feature plugins often take many releases before going into core. I honestly am amazed any big features got into core before 3.8, when features as plugins were introduced.
Now’s a great time to start working on your favorite ticket or component if you want to see it go into WordPress 4.5.
